Analyzing Computer Security A Threat Vulnerability Countermeasure Approach Pfleeger & Pfleeger Sol by Ace Test Banks

Analyzing Computer Security: A Threat–Vulnerability– Countermeasure Approach Instructor’s Manual Charles P. Pfleeger Shari Lawrence Pfleeger September 2011

Analyzing Computer Security — Solutions Manual ., Inc.

iii

Support for Instructors This manual contains suggested solutions to exercises from the book. These answers are intended to guide you if you assign these exercises as homework or classroom discussion projects. Naturally, creative students may come up with answers different from the ones we suggest here. Few of these exercises have a single “right” answer. Instead, their purpose is to challenge students to analyze a situation from a threat–vulnerability– countermeasure approach and present the steps of their reasoning. In this solutions manual we suggest some possibilities, but you will want to encourage your students’ imagination by gently nudging them toward acceptable answers. And remember that your students may come up with acceptable answers different from the ideas we present here. We tend to present only outlines of answers, such as phrases that suggest a line of reasoning; you and your students will amplify these outlines into complete thoughts. In this solutions manual we have also added more exercises that you may use for discussion or homework, to help students learn the material. We have also included any suggestions for how to approach teaching the content of each chapter.

Interludes We also include three unnumbered chapters that we call “interludes.” Each presents a current, real-life situation with computer security implications. These chapters are intended as extended student exercises to give students a chance to apply the analytical framework of threat–vulnerability–countermeasure creatively. You may want to use them in general class discussion, assign them to students to work on individually or in small groups, set them as competing team exercises, or invite students to delve into them for term papers or class presentations. In this manual we offer some suggestions of probing questions you can use to stimulate students. Keep in mind that broad topics such as these have many possible threats and vulnerabilities, so the students should come up with numerous problems and potential approaches.

Afterword This book ends with an Afterword, which is not so much a summary chapter as it is a means for looking forward. This book covers numerous specific attacks and vulnerabilities, with countermeasures tailored to each. However, the Afterword takes a broader perspective: What could improve cybersecurity in general, not in response to one specific threat?

Analyzing Computer Security — Solutions Manual ., Inc.

Table of Contents Building a Course............................................................................................ii Support for Instructors...................................................................................iii Interludes .....................................................................................................iii Afterword ......................................................................................................iii Chapter 1: Security Blanket or Security Theater? ................................................ 1 Instructional Suggestions ............................................................................... 1 Chapter Exercises .......................................................................................... 1 Additional Exercises ....................................................................................... 5 Chapter 2: Knock, Knock. Who’s There? ............................................................. 7 Instructional Suggestions ............................................................................... 7 Chapter Exercises .......................................................................................... 7 Additional Exercises ..................................................................................... 10 Chapter 3: 2+2 = 5......................................................................................... 12 Instructional Suggestions ............................................................................. 12 Chapter Exercises ........................................................................................ 12 Additional Exercises ..................................................................................... 16 Chapter 4: A Horse of a Different Color ............................................................ 18 Instructional Suggestions ............................................................................. 18 Chapter Exercises ........................................................................................ 18 Additional Exercises ..................................................................................... 21 Chapter 5: The Keys to the Kingdom ................................................................ 23 Instructional Suggestions ............................................................................. 23 Chapter Exercises ........................................................................................ 24 Additional Exercises ..................................................................................... 28 Interlude A: Cloud Computing.......................................................................... 29 Instructional Suggestions ............................................................................. 29 Chapter 6: My Cup Runneth Over..................................................................... 34 Instructional Suggestions ............................................................................. 34 Chapter Exercises ........................................................................................ 34 Additional Exercises ..................................................................................... 39 Chapter 7: He Who Steals My Purse ….............................................................. 40 Instructional Suggestions ............................................................................. 40 Chapter Exercises ........................................................................................ 40 Additional Exercises ..................................................................................... 45 Chapter 8: The Root of All Evil ......................................................................... 48 Instructional Suggestions ............................................................................. 48 Chapter Exercises ........................................................................................ 48 Additional Exercises ..................................................................................... 50 Chapter 9: Scanning the Horizon ..................................................................... 53 Instructional Suggestions ............................................................................. 53 Chapter Exercises ........................................................................................ 53 Table of Contents

Analyzing Computer Security — Solutions Manual ., Inc.

Additional Exercises ..................................................................................... 56 Chapter 10: Do You Hear What I Hear? ............................................................ 59 Instructional Suggestions ............................................................................. 59 Chapter Exercises ........................................................................................ 59 Additional Exercises ..................................................................................... 61 Chapter 11: I Hear You Loud and Clear ............................................................ 63 Instructional Suggestions ............................................................................. 63 Chapter Exercises ........................................................................................ 63 Additional Exercises ..................................................................................... 68 Interlude B: Electronic Voting .......................................................................... 71 Instructional Suggestions ............................................................................. 71 Chapter 12: Disregard That Man Behind the Curtain .......................................... 75 Instructional Suggestions ............................................................................. 75 Chapter Exercises ........................................................................................ 75 Additional Exercises ..................................................................................... 79 Chapter 13: Not All Is As It Seems................................................................... 81 Instructional Suggestions ............................................................................. 81 Chapter Exercises ........................................................................................ 81 Additional Exercises ..................................................................................... 84 Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay ................ 87 Instructional Suggestions ............................................................................. 87 Chapter Exercises ........................................................................................ 87 Additional Exercises ..................................................................................... 88 Chapter 15: I Can’t Get No Satisfaction ............................................................ 90 Instructional Suggestions ............................................................................. 90 Chapter Exercises ........................................................................................ 90 Additional Exercises ..................................................................................... 94 Interlude C: Cyberwarfare ............................................................................... 97 Topic Reading and Discussion Points.............................................................. 97 Security Analysis ......................................................................................... 97 Suggestions for Further Work ....................................................................... 99 Chapter 16: ‘Twas Brillig and the Slithy Toves … ..............................................100 Chapter Exercises .......................................................................................100 Additional Exercises ....................................................................................102 Chapter 17: Peering Through the Window........................................................103 Instructional Suggestions ............................................................................103 Chapter Exercises .......................................................................................103 Additional Exercises ....................................................................................105 Chapter 18: My 100,000 Nearest and Dearest Friends ......................................107 Instructional Suggestions ............................................................................107 Chapter Exercises .......................................................................................107 Additional Exercises ....................................................................................111 Afterword......................................................................................................113 Table of Contents

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 1: Security Blanket or Security Theater? This chapter is intended to introduce the student to the entire field of computer and information security. It defines important terms and concepts, such as threat, vulnerability, countermeasure, method, opportunity, motive, attack, harm, confidentiality, integrity, and availability. The student must understand these terms well, because they are fundamental to understanding everything else in this book. Therefore, these exercises are important for determining whether a student is ready to move on to the more specific chapters of the rest of the book.

Instructional Suggestions Because this chapter introduces the student to many fundamental concepts, it is important to present them slowly and carefully. You may want to present a topic, such as method–opportunity–motive, and then challenge your students to cite examples of those elements from everyday experience or recent incidents. Fortunately, the news media are replete with examples in the area of computer security.

Chapter Exercises 1.

List at least three kinds of harm a company could experience from electronic espionage or unauthorized viewing of company confidential materials. Loss of business or competitive advantage, public embarrassment (leading to loss of business), legal action for failing to maintain secrecy of protected data (such as healthcare data, employee private data, personal financial data).

List at least three kinds of harm a student could experience from electronic espionage or unauthorized viewing of personal materials. Public humiliation, loss of friends’ confidence, legal action for failing to maintain secrecy of protected data.

Describe a situation in which complete denial of service to a user (that is, the user gets no response from the computer) is a serious problem to that user. Describe a situation in which 10% denial of service (that is, the response from the computer is 10 percent slower than normal) is a serious problem to a user. Complete denial of service: any critical computing task, such as computer-assisted education, real-time accounting, or word processing for a student preparing a paper. Loss of 10 percent service: Computer-assisted medicine (surgery or drug dosing), streaming audio or video, or competitive online merchandising.

Consider the web site of an organization many people would support, for example, an environmental group or a charity. List at least three classes of people who might attack that web site. What are their motives? Consider the web site of a controversial organization, for example, a group of extreme ideology. List at least three classes of people who might attack that web site. What are their motives? Can you build a list of three classes that would attack both types of sites? Charity: opponents of the cause, rivals, undirected (random) attackers. Controversial: same.

Do you think attempting to break in to (that, is obtain access to or use of) a computing system is ethical? Why or why not? Do you think that act should be

Chapter 1: Security Blanket or Security Theater?

Analyzing Computer Security — Solutions Manual ., Inc.

illegal? Why or why not? Base your answer on harm: Who is harmed, to what degree, and does benefit to the person breaking in override the harm? First point: Ethics is not the same as law. Something can be unethical (for example, cheating on an exam) but not illegal. Breaking in harms the victim through loss of confidentiality, inappropriate modification, denial or disruption of service, or even just a sense of violation. Thus, even if nothing is “taken,” it is hard to argue that breaking in is not unethical. As to legality, there are laws against breaking into certain computing systems, even without causing apparent damage. (Passing a law does not make unwanted behavior disappear, however; there are laws against murder, but murders occur daily.) Having a law may improve the likelihood or ease of prosecution. 6.

Consider electronic medical records. Which of confidentiality, integrity and availability do their users require? Cite examples of each of these properties you think are required. Describe at least two kinds of people or situations that could threaten each property you name. All three. Confidentiality to preserve patients’ privacy; integrity to ensure correct treatment, and availability to ensure necessary data are available for treatment. Confidentiality, integrity, and availability can be attacked by careless medical professionals, hackers, or unscrupulous people in the industry (for example, drug manufacturers or even medical software developers).

Distinguish among threat, threat agent, vulnerability, harm, and control. A threat is a situation with the potential to cause harm. A threat agent is an actor— often a person but sometimes an object such as a vicious dog, an exposed electrical wire, or a windstorm—that allows a threat to be actualized. A vulnerability is a weakness, a hole through which harm takes place. Harm is unwanted behavior. A control prevents, detects, deters, or otherwise mitigates the harm of a threat exploiting a vulnerability.

Not all kinds of computer harm are illegal. List five examples of harm that is not illegal. Fire, floods, and other kinds of physical disasters. Harm from inadvertent human errors (other than negligent behavior). Failed or degraded access because of inadequate capacity. Hardware failures. Access failure from forgetting a password.

Consider the example with which this chapter began: a series of seemingly unrelated events, including failure of the communications and electrical power networks. Describe a scenario in which these could all occur concurrently but not be related. Describe a way at least one could lead to another. Describe a way you could determine the root cause of each failure. Concurrent but unrelated: accident of nature. One leading to another: electrical failure leads to communications failure (because communications providers, such as mobile phone networks, cannot operate without power). Root cause: difficult to discern. A precise timeline would show which event occurred before, especially immediately before, others, and error logs of the electrical and communications networks would show which conditions were detected when (although time of detection is not necessarily the same as time of occurrence.)

Chapter 1: Security Blanket or Security Theater?

Analyzing Computer Security — Solutions Manual ., Inc.

10.

Continuing from question 9, suppose you were a malicious agent assigned to cause failure of the telecommunications and electric power systems. What steps could you take to make it difficult to determine who you are? What steps could you take to make it difficult to determine that the attack was malicious and not a natural accident? What steps could you take to make it seem as though the cause was someone else, for example, a particular foreign country? Protecting identity: Obvious first step: work remotely. Second, employ local agents as necessary, but give each only partial information so no one person understands full plot. Third, work through several layers of intermediaries. Malicious or accident: Time activity to coincide with convenient natural disaster, for example, power disruption during a thunderstorm. Cause a “natural” disaster that diverts attention, for example, an truck accident that blocks traffic on a significant highway or an electrical power surge that affects a newspaper publisher or the emergency response telephone network. Redirecting the blame: Plant “seeds” that seem to come from the country, such as messages warning of an attack or stories leaked to friendly journalists.

11.

Consider a restaurant with an online reservation system for patrons. What confidentiality, integrity, and availability threats might such a system experience? Hypothesize vulnerabilities in such a system that an attacker might try to exploit. What countermeasures could be applied against these threats? Confidentiality: acts to determine identities of patrons or to learn how much business the restaurant is doing; integrity: acts to create fictitious reservations, delete reservations, or modify existing reservations. Availability: threats of hardware failure, software failure, unacceptable performance. Vulnerabilities: software faults, unstable hardware. Countermeasures: redundancy (paper backup).

12.

Suppose a payroll system secretly leaks a list of names of employees earning more than a certain amount each pay period. Who would be harmed by such a vulnerability? How could such a vulnerability come about? What controls could be instituted to counter such a vulnerability? Suppose the leakage were not just names but also employees’ identification numbers and full pay amounts. Would the people harmed or the degree of harm be different? Why or why not? If the employees are the ones suffering the greatest harm, who should be responsible for countering this vulnerability: the employee or the employer? Why? Harm: Employees, company management. Names and personal details: People harmed, the same; degree of harm, greater (more sensitive details exposed). Responsibility: The employee has little control over a payroll system, and thus can do little to protect against its faults (other than, perhaps, giving a false name to the employer, which has other negative consequences).

13.

A letter arrives in the surface mail apparently from your bank, but you are skeptical of its origin. What factors would make you skeptical? How could the bank help allay your skepticism in advance of sending the letter? What could the bank put in the letter itself that would reduce your skepticism? Would your answers be the same if the bank sends email instead of a surface mail letter? Factors: quality of stationery and printing, appearance of envelope, wording of message (including spelling and grammar), also whether the content seems reasonable. Advance warning: a notice included with the regularly-sent monthly statement alerting customers that the bank would soon send a letter and outlining

Chapter 1: Security Blanket or Security Theater?

Analyzing Computer Security — Solutions Manual ., Inc.

the topic. In the letter: some characteristic of the account, for example, part of the account number or reference to a recent transaction. Email: same answers. 14.

Consider a program you could install on your own personal web page to display your city’s current time and temperature. What threats could this program cause to you? To people who visit your web site? What controls could counter those threats? This question is a precursor for Chapter 4 on malicious code. Any program can affect other programs in concurrent execution by modifying the other programs’ code, intercepting data before or after processing by the other program, or denying access. The fact that a program has an apparently benign function—in this case time and temperature—is irrelevant.

15.

Consider a program that allows people to order goods over the Internet. What threats could this program cause to users (purchasers)? What threats could this program cause to the merchant? Hypothesize three vulnerabilities that could allow these threats to be actualized. Threats to users: confidentiality, exposure of personal data (credit card number); integrity, incorrect order (wrong item, wrong quantity, wrong price); availability: inability to order desired merchandise. Threats to merchant: exposure of customers’ personal data, disclosure of customer list, disclosure of business condition (number of orders, for which products, at what prices); integrity: failure to record or retain order, recording incorrect order or modification of order, deletion of existing order; availability: customers’ inability to access system (and to place orders). Vulnerabilities: software fault, power failure, inadequate capacity.

16.

Suppose you are a talented sailor about to race your boat in a yachting competition. A possible threat to winning is cancellation of the event because of adverse weather conditions. List three other threats you might encounter as you try to win by posting the fastest finishing time. List three vulnerabilities those threats might exploit. List three countermeasures against those threats. Threats: foul weather, mechanical failure of boat, inaccurate (or maliciously faulty) officials. Vulnerabilities: wind causes boat to capsize (countermeasure: mechanical stabilizers, waiting out bad weather in a safe position); rotting wood cause boat to leak (countermeasure: inspection before race); bribery (countermeasure: multiple official, independent skeptical observers).

17.

Suppose you are a spy, and you need to pass secret materials to another spy, Agent Smart. However, you and Smart have never before met. You are aware that hostile forces are all around, any one of whom might try to impersonate Smart; if you approach someone and asked if she is Agent Smart, she might say she is even if she is not. Suggest a control for this threat—that is, a way you could be convinced the person to whom you are talking is really Agent Smart. Would your technique work if you assumed your telephone and mail were being monitored by the hostile agents? Suggest a way that would work even if your communications were monitored. This problem is hard; establishing a basis for trust between two previously-unknown parties is a continuing difficulty for computer situations. This exercise leads to the shared secret problem for cryptographic key exchange (of Chapters 11 and 13). If you and Smart had a common friend (or co-worker) you could cite some common

Chapter 1: Security Blanket or Security Theater?

Analyzing Computer Security — Solutions Manual ., Inc.

characteristic or event. You could also ask a mutual friend to supply each of you with an identifying phrase. The situation is even more difficult if you assume communications are monitored, because then asking a common friend for an introductory pass phrase could also be intercepted. The question asks about phone and postal communications being intercepted, or perhaps modified, but it does not preclude direct person-to-person communication. If you and Smart have a common friend or associate with whom you can feasibly arrange direct interaction, the friend can supply you each with an introductory phrase.

Additional Exercises 1.

Theft usually results in some kind of harm. For example, if someone steals your car, you may suffer financial loss, inconvenience (loss of your means of transportation) and emotional upset (because of invasion of your personal property and space). List three kinds of harm a company might experience from theft of computer equipment. Inability to do business, loss of confidentiality of sensitive data stored on the computers, financial loss of the value of the equipment itself.

Describe two examples of vulnerabilities in automobiles for which auto manufacturers have instituted controls. Tell why you think these controls are effective. Exposure of occupants to rain, controlled by roof and body, an effective control. Ability of car to turn over in an accident, countered by weight and balance, only sometimes effective (as evidenced by automobile crashes).

Cite an example of data whose confidentiality has a short timeliness (say, a day or less). Describe an example of data whose confidentiality has a timeliness of more than a year. Short: Name of an award winner, for example, the Nobel prizes. Long: individuals’ personal data (for example, private identification numbers or birthdates), patentable laboratory research.

Do you currently use any computer security controls? If so, what? Against what threats are you trying to protect? Anti-virus software: to protect against malicious code. Firewall: to protect against intrusion by outside programs or agents. Automatic code update programs, to protect against exploitation of newly-discovered faults in operating system or application code.

Consider a program that allows a surgeon in one city to assist with an operation in another city, either by manipulating the actual instruments remotely, or just by observing the operation and offering suggestions to the onsite surgical team. Who might want to attack such a program? What nature of attack might be attempted? How could such attacks be prevented? Random attackers might go after this application or its computing platform without attention to the program being run. Furthermore, if the patient was an important political person, adversaries might want to interfere maliciously with the operation. The most likely attack, because it would probably be easiest, would be denying availability, probably by severing the communications link between the surgeon and

Chapter 1: Security Blanket or Security Theater?

Analyzing Computer Security — Solutions Manual ., Inc.

the operating room. For such an attack, dual, redundant links would be a suitable countermeasure. 6.

Cite an example in which a failure of one security property, for example confidentiality, leads to failure of another property, for example availability. If a person’s password becomes known (confidentiality), an attacker could use that password to impersonate the user, login, and change the password, thereby denying the user legitimate access.

A classroom teacher and her students share use of one computer. What problems does this present for the teacher? How can the teacher protect her computing against threats from the students? Confidentiality and integrity of the teacher’s materials are at risk; thus the teacher might decide not to keep sensitive data (such as students’ grades) on the computer. Furthermore, actions of the students might harm the computer or its software, thereby denying other students and the teacher access. The teacher might keep a backup version of the operating system and critical applications on a separate medium (such as a DVD).

Cite three problems with using the legal system to protect computer systems. Police forces and prosecutors are not always competent at investigating computer crime cases and trying criminals. Computer crimes can be committed remotely, sometimes from foreign countries, which limits the ability of one country’s judicial system from prosecuting criminals. Legal penalties are not always strong enough to deter criminals.

Various cyber security exercises have been performed throughout the world. Describe the limitations of such analysis. Each such exercise is exactly that: an exercise. It is limited by the seriousness of the participants and the creativity of the organizers. Few people are involved, so the effect on all relevant parties is limited.

10.

Cite an example of each of the following: Computer as target of attack, method of attack, enabler of attack, enhancer of attack. Target: web site modification. Method: malicious code (for example, virus, Trojan horse). Enabler: email (sending spam to hundreds of thousands of recipients with the click of one button). Enhancer: chat rooms by which hackers exchange attack knowledge.

11.

Describe the concepts of method, opportunity, and motive as they apply to disabling a car by removing a key component. First you must know which components are essential for starting or running the car. Then you must be able to recognize those components and know how to detach them. Finally, you must have the necessary tools to perform this act. These three pieces are aspects of method. For opportunity, you must have access to the car’s engine, and you must be able to work on it in such a way that will not attract attention. For example, you might want to wear a mechanic’s uniform and arrive in a truck bearing the sign of an auto repair shop. Motive is up to the attacker: why do you want to disable this car? Is it one step in a larger attack, in which you harm the victim and then prevent the victim from getting into the car and driving away?

Chapter 1: Security Blanket or Security Theater?

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 2: Knock, Knock. Who’s There? Students relate well to this chapter because they are familiar with passwords and can identify the weakness of guessed or disclosed passwords. The material is relatively easy, and biometric authentication devices appeal to students with a technology bent.

Instructional Suggestions As computer security specialists, we like to think our subject and our needs are paramount: No system should be allowed unless it has strong authentication. That position, however, can be at odds with usability. Taken to the extreme, every user would need a distinct authenticator for each system, and there would be no relationship between authenticator (that is, no user could have the same password—or even a similar one—for two systems). Clearly that position would be unpopular with users, and when users find a restriction too harsh, they tend to try to override or undermine it. Students should learn the security rationale for strong authentication, but they should also learn how to judge which systems require strong authentication and which can accept weaker forms, or perhaps even none at all. This chapter is a good point at which to begin discussion of ethics, because students can relate to the potential harm of a purloined email account, even without being a candidate for public office. It is also a good time to emphasize the difference between ethics and the law, as investigators were lucky to identify and arrest Kernell, and to secure a conviction.

Chapter Exercises 1.

How do many computer applications thwart password-guessing attacks? Many programs employ a password lockout by which they refuse to accept new password entry attempts after a small number (typically three to five) successive password failures.

List advantages and disadvantages of assigned passwords, that is, an application program assigns an initial password to each user and, at an appropriate time, assigns a new password. The user has no role in choice of passwords or frequency of change. Advantages: passwords can be chosen from a large character set, of a given length, and changed with a certain regularity. Disadvantages: users have trouble remembering a long, meaningless string of characters, and consequently they dislike using assigned passwords.

List several applications for which a weak but easy-to-use password may be adequate protection. Depends on the threat. If the goal is to discourage a not-very-dedicated attacker, any password, no matter how weak, will do. A fair analogy is to the lock on a bedroom or bathroom door in a private home. Many such locks can be opened with a pin or screwdriver; the purpose of such locks is to say “I want privacy” but allow an override for emergency access.

For authentication based on something you are, both false negatives and false positives are problems. Discuss whether one of these is more important than

Chapter 2: Knock, Knock. Who’s There?

Analyzing Computer Security — Solutions Manual ., Inc.

the other by citing situations in which one is more important and justifying that those kinds of situations are more prevalent. False negatives deny legitimate access, so for a system in which availability is critical, a low false negative rate would be more important than a low false positive rate. 5.

Construct an experiment to estimate the speed at which a particular computer can process an authentication password. From that estimate, determine how long it would take to test common password candidate lists, such as a list of 100 or 1000 popular passwords, the same list enhanced with orthographic substitutions (3 for e, zero for O, one for l, 2 for z, and so forth), and a word list from a common online dictionary. There is no single right answer to this question. The point of the question is to perform the analysis to determine the number of possibilities and the rate at which those possibilities can be checked.

Experimental 6.

Conventional rules for password use include not writing down a password. Is this always necessary? That is, can you cite a situation in which writing down a password is only a minor vulnerability? Writing down passwords is a vulnerability only if the written form can be readily found. In a setting with strong physical security, in which the threat from malicious insiders is low, written passwords are not seriously harmful. For example, a family computer in a private home may be of low risk if the users keep a shared list of passwords of shared, common sites, for example, news media or travel sites.

Discuss the algebra of authentication: Assume a situation with two-factor authentication and call the factors A and B. Considering the four cases in which each is either strong or weak, what conclusion can you draw about the result: weak A + weak B = ?, weak A + strong B = ?, etc. Does order matter, for example, is weak A + strong B = strong A + weak B? Does it matter if the two factors are of the same type, for example, two things you know? What happens if you add a third factor C? This question does not have a single right answer. You should base your discussion on analysis of examples.

It is up to the students to present results based on analysis, but students may find more countermeasure examples than simple algebraic relationships. No such algebra has yet emerged in the research community. 8.

List four questions about yourself whose answers you would easily remember but an imposter would be unlikely to guess or find elsewhere. Exchange your list with another classmate and see if either of you can determine the answers to any of the other’s questions. Example questions: shoe size, last three digits of a previous phone number, favorite food, earliest childhood memory, kind of objects collected (e.g., coins, play programs).

You forget your password to a web site, so you click the box saying “forgot my password” to have a password sent to you by email. Sometimes the site tells you what your password was; other times the site sends you a new password. What are the security ramifications of these two approaches? Is one more secure than the other? Why would a site use one instead of the other?

Chapter 2: Knock, Knock. Who’s There?

Analyzing Computer Security — Solutions Manual ., Inc.

If the site sends you your actual password, the password was stored in the system, where it could be found by an attacker or a malicious insider. Some sites store only a scrambled (encrypted) version of each password; when a user enters a password, the site applies the scrambling algorithm and compares the scrambled result with what is stored. In this way, assuming the scrambling cannot be reversed, no attacker can extract a user’s password from the system. 10.

Defeating authentication follows the method–opportunity–motive paradigm described in Chapter 1. Discuss how these three factors apply to an attack on authentication. Authentication is the step before access is granted to some sensitive resource. Thus, the attractive resource provides motive for wanting to defeat authentication. Method entails skills and knowhow: Passwords are of some finite length from a finite alphabet, so in theory all passwords can be enumerated (although the process takes a long time). For technology, used with biometrics and tokens, design specifications and usage manuals are often widely available, so the attacker can obtain details with which to attack. Finally, opportunity translates into time and physical access, which may be the controlling factors in an authentication attack.

11.

Strong authentication can also risk availability. A simple example is that forgetting your password denies you access to that which required a password. Sometimes the stakes are high, for example, if a network administrator is the only one who knows the password to (or holds the only token for access to) a network device needed to block an ongoing attack. Even network administrators get sick, have accidents, are unreachable, or lose things. This situation is known as a single point of failure because the ability to access depends on one critical link: the administrator. How can a company prevent such a single point of failure? (1) Maintain a help desk, available 24x7 (which many companies have to support computer operation), and empower the help desk administrators to allow access to an individual user who can pass certain validity test or questions. (2) Pair each employee with a small number of people (but more than one) who can authorize emergency access. (3) For the specific case of the network administrator or any other single critical person, identify backup people who know the necessary access authenticators. (4) Record the authentications in a book or file kept securely. (Note that the “do not write it down” rule for passwords applies only in situations in which physical security of the written list is an issue. In a network monitoring center, for example, physical security will necessarily be high any way, and all persons in the monitoring center will be trusted to use the written password list responsibly.)

12.

Remembering multiple passwords is difficult. Suggest a scheme by which a person can create easy-to-derive but hard-to-guess passwords for many different cases. A person can define a personal password algorithm, involving a few easy-to-perform steps on a character string related to the destination to which access is sought. Assume the destination is a web site. The algorithm might be: (1) take the first five letters of the site name and make them all lower case, (2) move the first letter to the third position, (3) change the (current) first letter to the letter one later in the alphabet, changing Z to A, (4) make the fourth letter uppercase, (5) change the last

Chapter 2: Knock, Knock. Who’s There?

Analyzing Computer Security — Solutions Manual ., Inc.

letter to 1 if the letter is A–M or 3 if N–Z, and (6) end the string with a question mark. With this scheme, Microsoft would become jcmr3?

Additional Exercises 1.

List three reasons people might be reluctant to use biometrics for authentication. (1) Fear of physical harm (for example, looking into a lighted shaft for a retina scan), (2) Fear of physical contact (because of hygiene) for fingerprint or hand geometry readers, (3) Fear of false negative (for example, a cut or bandage on a finger needed for fingerprint recognition)

A dictionary attack can be augmented to try orthographic substitutions, such as 2 for z and @ for a. Assume a common dictionary has 100,000 words and (to make calculations easy), all letters are lower case and the 26 letters are evenly distributed (that is, “a” occurs exactly 1/26 of the time as does “z”). How many extra substitute word possibilities are there, allowing @ for a? (That is, the attack would try the word “bay” and also “b@y”.) If there are ten such orthographic substitutions (2 for z, @ for a, 1 for I, 6 for b, $ for s, etc.), how many word possibilities would an attacker need to try? Substituting @ for a adds 1/26 * 100,000 words, which is approximately 4,000 more. Ten such substitutions adds approximately 40,000 words (ignoring the fact that some of these “words” will have two substitutions, both z and a, for example, so that three new possibilities need to be tried: substitute for z, substitute for a, and substitute for both). The point of this question is to show that the substitutions increase the attackers work by 40% which, although not insignificant, is not infeasible on a computer.

If a user is prohibited from using any of the most recent n passwords, why should the system still protect those passwords from viewing, just as strongly as it protects the current password? Users who must periodically change may use passwords consisting of a string and a number, where the number is changed each time the password must be changed. Thus, if an attacker obtains two prior passwords, the pattern may be obvious, which discloses the current password.

Discuss the security impact of a biometric device that sends simply “yes” or “no” to the computer to show the user passed or failed authentication, versus one that sends a full representation of the biometric credential to be evaluated on the computer. For example, a user might insert a coded card (with his or her biometric pattern secretly encoded) into a reader and then place a finger over a print reader. The reader can then inform the computer that the user did or did not match the pattern described on the coded card. Moving the decision to the reader allows an attacker to substitute a phony or modified reader that always says “yes” for the attacker. Furthermore, the computer system has no knowledge of gradual changes, for example, if a person’s appearance gradually changes as hair gets gray.

When police investigators perform DNA analysis are they doing identification or authentication?

Chapter 2: Knock, Knock. Who’s There?

Analyzing Computer Security — Solutions Manual ., Inc.

Typically, and in the best situation, police are using DNA for authentication: They already have a suspect with high probability of involvement, and they want to authenticate that the person was at the scene where the DNA was collected. 6.

List three reasons why people choose weak passwords. (1) People underestimate the threat of impersonation, (2) they want to choose a password that is easy to remember, and (3) they are more accustomed to remerging words instead of complex character strings.

Describe a social engineering attack that could be used to obtain a user’s password. Write the user a message saying the system is undergoing an upgrade, and the user will need to send (you) the user’s current username and password.

Explain the tension between frequency of password change and security. More frequent change limits the risk of someone’s obtaining a password, but frequent changes are inconvenient for users.

Explain what it means to say that a biometric device can be a single point of failure. A single point of failure is one item that, if it fails, denies access to an entire system. Any single authentication device is a potential single point of failure. For this reason, critical systems typically have two or more authentication readers, and two or more redundant computers processing authentication data from a replicated copy of the authentication database.

10.

Must identities be unique? Must authentication data be unique? Explain your answer. Identities must be unique; authentication data can be non-unique, although it should be impossible for anyone to detect which authentication data items match.

Chapter 2: Knock, Knock. Who’s There?

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 3: 2+2 = 5 This chapter introduces a topic that should be familiar to all programmers: program faults and failures, commonly called bugs.

Instructional Suggestions This chapter covers a significant amount of material often covered in software engineering. Students can skim this material if they already have a good understanding of such design and implementation concepts as defensive programming, testing, and configuration management. However, all students should probably review the section on security design principles, because these points, and especially the precepts from Saltzer and Schroeder [SAL74, SAL75], recur throughout this book.

Chapter Exercises 1.

Is the Mars probe example a case of incomplete mediation? Explain your answer. Yes and no. Yes, it involves failure to verify authorization to a location prior to granting access (for an update). However, the full situation involved several problems, including failure to program defensively (allowing an antenna panel to overrotate), and failure to enforce separation and strong data typing (rewriting two values at once and overwriting only part of a numeric data item), as well as absence of checking software. Thus, several problems compounded the situation.

Suppose you are designing a database management system for shared access by multiple parties concurrently, such as an airline reservation system. Describe a design by which you could ensure complete mediation to all data in the database. One approach is the ability to lock each data item to be affected before writing any for an atomic update. However, the lock and hold strategy is subject to deadlock, which must also be dealt with.

Suppose you are participating in a program review of the database system of the previous question. Describe how you would verify that complete mediation occurred. At what stage in development would your approach take place— requirements, system design, detailed or unit design, unit implementation, system integration, unit testing, system testing, operation? How would you ensure that your approach did not allow incomplete mediation at some later stage? The verification would occur at least in system and detailed design, and during testing.

Consider the example cited in this chapter of the Tripwire program that led to a race condition. Describe a system design by which the race condition could have been prevented. The target buffer address or name could have been copied to system space, from which it would be accessed, not from user’s space.

Chapter 3: 2+2 = 5

Analyzing Computer Security — Solutions Manual ., Inc.

Suppose you are participating in a program review of the Tripwire program. Describe how you would verify that there were no race conditions of the form outlined in this chapter. This is difficult to accomplish, because race conditions are not like a simple case in which a value is added when it should be subtracted. Detecting race conditions requires someone who can think creatively and globally, to envision the program running in an environment with other concurrent applications. There are no simple test or formulas for finding race conditions.

List points in favor of penetrate and patch as a security method. (1) Speed—it is quick. (2) In uncomplicated cases, it may identify and correct faults.

Explain why small, single-purpose modules are likely to enforce security better than larger ones that do several things. What are the security advantages of a single, large, and comprehensive program unit? A single purpose lets the developer’s mind focus on one task; there are few conflicting or competing threads of logic to keep track of. On the other hand, a large number of small, simple modules can also be hard to coordinate. Some people do better with the “big picture” in one module in which all security impacts are present, instead of having to consult other modules to see if they have a security effect on one currently being inspected.

System overhead is accrued each time a different module is invoked. Thus, from a performance standpoint, one large routine is more efficient than several smaller ones. How could you counter this performance argument in seeking to achieve security? Because the penalty is based on number of invocations, keeping that number down reduces the severity of the impact. Instead of repeatedly invoking a single routine, for example in a loop, it may be more efficient to include the routine’s behavior within the loop itself, and to reserve separate modules for largely self-contained activities.

Explain the principle of least common mechanism and justify why it contributes to security. Least common mechanism means that routines do not unnecessarily share the mechanism by which they operate. As an example, consider a web hosting provider for retail sales. If all merchants use the same, common shopping cart and checkout mechanism, a flaw in the mechanism affects all sellers. Although there is an advantage to coding it once and getting that implementation right, that advantage is counterbalanced by the risk to all of a flaw in the common code. The common mechanism becomes a single point of security failure. A more subtle problem is that the common mechanism can become a means for unintended sharing. Again, with the common shopping cart example, a flaw in the mechanism might also allow merchant B to see data concerning merchant A’s customer or merchant A’s sales, both of which data items should be sensitive to merchant A.

10.

Explain the principle of least privilege and justify why it contributes to security. Least privilege states that a process operates with the fewest privileges consistent with its need to accomplish its goal. The printer driver probably does not need access to the user password file, for example. Two advantages of least privilege are first, in

Chapter 3: 2+2 = 5

Analyzing Computer Security — Solutions Manual ., Inc.

case of a security breach, the harm does not expand, and second, least privilege forces the programmer to think about security, to be able to justify privileges that are necessary. 11.

Suppose a team of programmers are all recent university graduates; in that sense, they are all peers, having equivalent backgrounds and experiences. Explain why they might not be the most successful team to perform a peer review of a system for security. How would you modify the peer review team to improve its ability to locate security failures? The obvious answer, adding a security expert, is not sufficient; you must argue that the security expert would be effective. Why would that be so? As studying this book should convince students, finding and handling security flaws requires practice. Experience is needed with both the kinds of threats and vulnerabilities—in order to be able to predict and identify them, and with the available countermeasures. It helps for security professionals to be able to “think like an attacker,” to focus on how to make security fail, whereas most programming is focused on how to make a program do what users want. Having this ability or experience—really, it is more a mindset—of focus on failure gives the security professional a unique professional. A similar quality involves human factors or usability, which is another area lacking in many programmers, especially those with little experience; yet, poor usability can prevent a good program from ever meeting its intended goals. Thus, a variety of perspectives improves the review process.

12.

Suppose two modules are tested; 10 security failures are found for module A and 50 for module B. Can you conclude that A is more secure than B? Why or why not? Can you conclude there are more faults yet to be found in A than in B? Why or why not? Can you conclude that the testers for A were more lax than for B? Why or why not? Can you conclude that the development team for A was better than that for B? Why or why not? Can you conclude that the programmers of A were craftier at hiding security weaknesses than for B? Why or why not? First, this problem does not say anything about the sizes of A and B, the amount of time devoted to testing each, the nature of the programmers and their experience, the nature of the testing teams and their experience, or the nature of the problems A and B were to solve. Without this kind of background information, face-value comparisons are essentially meaningless. Even assuming close similarity in all factors relating to A and B, testing involves a degree of chance: for some reason, one team uncovered more failures than the other. It is risky to draw conclusions that way. Furthermore, two modules are seldom so closely similar. The underlying question is this: Does finding n errors in one module and m in another (where n<m) mean the first is better than the second? One argument is that more faults are yet to be uncovered in the first, but the counterargument is that the larger number of failures indicates poor implementation, so there are yet more faults waiting to be found. Neither of these two positions has strong support through solid research in the testing community.

13.

Penetration testing is based on Clark Weissman’s Flaw Hypothesis Methodology [WEI95], in which the tester hypothesizes a flaw, designs a test to confirm the flaw’s existence, applies the test, and uses the result of the test to refine the hypothesis by expanding on a demonstrated flaw or choosing a different

Chapter 3: 2+2 = 5

Analyzing Computer Security — Solutions Manual ., Inc.

potential weakness. How would you apply the flaw hypothesis methodology to search for failures in the Mars probe example of this chapter? The situation for the Mars probe specifically concerned updates, so we can focus on them, for which there are two cases: a patch value is laid in the wrong place, or the patch value is incorrect. Following the first case would entail reviewing all the wrong places in which a patch could be written and exploring all the effects incorrect values could have. The second case would entail considering all the wrong effects incorrect code could have, or all the ways the code could be incorrect. From each of these, the analyst would do a secondary analysis: assuming a flaw caused this problem, what would be the follow-on effects of that flaw, and so forth. This process sound long and exhausting, because it is; penetration testing done properly is a detailed, methodical, exhaustive effort. 14.

Two general schools of thought of software development involve process and product. The process line of reasoning essentially says a good approach produces good code; the product approach essentially says good code is its own mark of success, regardless of how it was developed. Obviously, there are merits to both philosophies. Which of these two schools is more appropriate for security? Justify your answer. Neither is necessarily a clear winner. This is not a trick question; the important part is the student’s justification. (In fact, students could be told to pick any of (a), (b), both, or neither and they would still be able to get a good grade.) Justification could involve comparisons to related disciplines (manufacturing, technology, medicine), difficulties in measuring security (students should cite some of the actual papers on the topic), and other important factors (such as experience of the development team.) Anecdotes and unsubstantiated opinions by students should get a poor mark.

15.

Describe how security testing differs from ordinary functionality testing. What artifacts (such as documents) would each produce? What results would each produce? A critical difference between security testing and functionality testing is that security testing is looking to prove a negative, for example, that confidentiality is not sacrificed. With functionality, simplistically, there is one right answer; with security, there are infinitely many wrong answers. Documents might be similar for both kinds of testing: Both use test plans, test scripts, test results. Security testing should also include a description of why the testing is complete, how a thorough search for potential vulnerabilities has been done, as well as the enumeration of vulnerabilities and test cases to show those vulnerabilities are not realized.

16.

One concept of software development is the “use case,” a description of how an outside entity (a human user or another software module) interacts with a module. Security sometimes considers an “abuse case,” a study of how a module can be misused. Describe what would go into an abuse case model. Testing could be either “clear box” or “black box,” depending on whether the actual code is examined or not. Clear box testing would enumerate threat agents and threats, potential vulnerabilities, and code aspects that could admit threats. Black box testing would be similar, except for the code aspects.

17.

Take a simple piece of software, such as a rudimentary text editor. Design several security-flaw hypotheses for the software. If you have access to a

Chapter 3: 2+2 = 5

Analyzing Computer Security — Solutions Manual ., Inc.

security-testing lab, implement those tests and follow the flaw hypothesis methodology to refine those tests and generate new ones. This question is a laboratory or paper exercise for students to perform to show understanding of the flaw hypothesis methodology. Things to expect in their work are: (a) a large list of potential vulnerabilities, (b) one or more tests to confirm or reject each hypothesized vulnerability, (c) the results of those tests, and (d) further hypotheses from the tests that confirmed vulnerabilities.

Additional Exercises 1.

Could computer program testing be automated? That is, could a program automatically generate security test plans and expected outcomes? Why or why not? Automated testing is difficult, although there is considerable interest in it. On the positive side, automated testing would not be subject to testing bias, in which a test team ignores certain conditions to test or assumes the code will meet those constraints, and it could guarantee completeness of the aspects it “decides” to test. The limitation, obviously, is the process by which an automated tester “decides” what avenues to test. In security, automated testing could, for example, check for simple violations, such as using a variable before it receives a value or exceeding an array limit.

Software development organizations today often use a form of programming in which the team does a little programming, tests that, writes code to add more functionality, tests that, writes still more code for more functionality, tests that, and so forth. The code process sometimes involves a “daily [or nightly] build,” in which the team collects all modules that are ready for use, compiles them together, tests the compiled result, and releases that version (either for more internal testing or externally to users), frequently, sometimes as often as daily (hence the name). Discuss the security implications of this methodology. As a system gets large, testing the interaction of the many components becomes more difficult, but as this book points out, the points of interaction are often the places where security vulnerabilities reside. Thus, the daily build concept places stress on the security of the end result. Modularity, information hiding, and defensive programming help achieve security in such settings.

Software security testing can seem to be a never-ending task: The number of potential vulnerabilities is large, as is the number of points at which a vulnerability can occur, so there is a combinatorial explosion of possibilities to test. What factors can help to manage this seemingly endless set of possible sources of security failure? Modularity, least common mechanism, and defensive programming help to limit the potential growth.

If you were to be the “testing captain” of a development team, your job would be to determine when enough testing had been done and to declare that a piece of code had passed its tests and was therefore secure. Being cautious, or wanting a secure job for a long time, you might decide never to stop testing. If a security flaw were later discovered, people would blame you as the person who accepted the code. Thus, you lose if the code has a security flaw, so you

Chapter 3: 2+2 = 5

Analyzing Computer Security — Solutions Manual ., Inc.

never release the code, and hence you never lose. How could this untenable situation be improved? This is a management issue. Security testing obviously has to have a budget, in terms or time or number of people or number of test. On the one side, too small a budget leads to shoddy testing. But management needs to set a responsible budget for testing so that progress continues. Metrics, such as number of flaws found as a function of time since testing began, may help justify stopping testing at some point. 5.

Give an example of a race condition in ordinary life (not necessarily involving computing). Note: the trivial example of two competitors starting a competition at the same time is not an acceptable answer. A race condition involves two tasks, usually asynchronous, in which the overall result depends on the independent paces at which the two tasks are done. Consider two people building a house, one installing molding and the other laying carpet. If molding is installed first, the carpet can slip neatly under the molding, but if the carpet is laid first, it is difficult to hold the molding and nail it in place slightly above the carpet, and it is difficult to judge the size of the carpet to ensure the edge will be covered by the molding. Thus the challenge is for the molding installer to remain at least one room ahead of the carpet installer. Another example is a restaurant in which all people at a table are to be served at the same time, but the foods are prepared independently in the kitchen. If any item is finished too soon it is held under heat lamps, which can cause it to dry out or lost some flavor.

Give an example of a time-of-check to time-of-use condition in real life (not necessarily involving computing). A customer in a supermarket puts some apples in a bag and is given a label for the price of the weight of the apples in the bag. The customer then puts more apples in the bag. The cashier scans the label on the bag for the charge of the original weight of apples.

There is, of course, no automated tool that can detect usage mismatches, such as a calling program that supplies a parameter measured in minutes and a called procedure that expects a parameter measured in second. Suggest a way to reduce the number of such mismatches. Checking for appropriateness would be in order. A parameter value of 30 seconds is clearly different from one of 30 minutes, and the called routine can sometimes determine when a value is unlikely, although syntactically valid.

Chapter 3: 2+2 = 5

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 4: A Horse of a Different Color This chapter defines malicious code.

Instructional Suggestions Scan the Mitre CVE list (https://cve.mitre.org/) or a major antivirus maker’s current threats lists (for example, http://www.f-secure.com/en_US/security/security-lab/latestthreats/virus-descriptions/index.html) for current, interesting examples of malicious code to discuss in class.

Chapter Exercises 1.

Outline an approach for determining the approximate cost of a malicious code infection. Your approach should be one that could be used for infections involving millions of computers throughout the world. Make sure the students understand that this question asks for an approach, not for precise numbers. The essence of this question is building a model of the cost of handling an infection. Factors students should consider include (a) the time to determine if a site has been affected, (b) the time to detect, assess, and block the infection, (c) the time to determine the extent of damage, and (d) the time to recover from the damage. These time estimates would be multiplied by the cost of a person to perform these tasks and the number of sites affected. The model might even break down an infection by number of affected systems at a given site.

Explain why the autorun feature is a dangerous way by which malicious code can be transmitted. Autorun begins execution of a piece of code without the user’s clicking “run” or otherwise assenting to activation. This feature violates a basic principle of security that all actions should be mediated: there should be a positive access control decision.

Explain why polymorphism is an advantage for malicious code writers. Malicious code writers want their code to evade detection. Malicious code checkers scan for patterns of known infections. If a malicious code writer can alter the appearance or pattern of a piece of code, that complicates or inhibits detection, and the more different ways the code appears, the better (for the attacker).

Describe how malicious code writers use multipartite malicious code. With what properties, for example, stealth, activation, propagation or embedding, does multipartite code help? Multipartite malicious code helps both with stealth and embedding. Malicious code writers find it difficult to insert thousands of bytes of code into an existing routine, especially doing that without a sudden increase in the routine’s size (because such a change might attract attention). With multipartite code only a few bytes of execution code need to be inserted, and those few bytes can then fetch, store, and execute a larger body of code.

Suppose your professor wanted to distribute some code to all members in your class. Assume your professor is unquestionably trustworthy. Your professor invents a scheme by which she will denote her code that is safe to use. Before

Chapter 4: A Horse of a Different Color

Analyzing Computer Security — Solutions Manual ., Inc.

distributing the code, she will send a note to everyone saying she is about to post program P1, so when you find P1 on your class’s server you can trust it. How could Mel, a malicious student, sneak in his own malicious code under that model? Mel simply posts his own program version under than name P1. 6.

Continuing the previous question, suppose your professor added that P was a program of size x created on date y. How could Mel sneak in his code under that model? The creation date is a parameter stored inside the body of the code, so Mel can locate that value and set the creation date to match the professor’s. Size is harder to control. Of course, Mel could write a routine that is exactly the size the professor announces. Suppose Mel writes a routine smaller than the professor’s. Mel can then expand his routine with useless instructions (for example, assigning the value of a variable to itself) until reaching the necessary size. If Mel’s code is too large, Mel can use the multipartite technique to excise some code and invoke it dynamically.

Continuing the previous question, suppose your professor added that the first 4 bytes of P were abcd. How could Mel sneak in his code under that model? Mel simply writes abcd

and then follows that with his own malicious code.

Continuing the previous question, suppose your professor added that the last (low-order) eight bits of the sum of all bytes in P was n. How could Mel sneak in his code under that model? At this point, the challenge for Mel becomes greater. The low-order eight bits yield a number between 0 and 255, so Mel’s random code has only a 1/256 chance of matching the professor’s. However, because only the low-order bits are used, Mel can change one code byte and correct the sum: Mel computes his sum, call it m, and compares that to the professor’s sum, call it p. Then Mel calculates (p m ) to see how much change he needs to make. Mel takes any byte of his code, ideally an unnecessary constant somewhere (call that value k), and changes its value from k to k + (p m ). The new size sum is m + (p m ) = p.

Explain why memory separation is useful, even if not perfect, for combating the introduction of malicious code. What does it achieve, but what weaknesses does it still admit? Memory separation controls the access of one user to another user’s memory space, either main memory (dynamic RAM) or stored memory space (contents of disk drives, flash drives, and other external devices). If a user Bernard is limited to accessing only memory assigned to him, programs running under his authority cannot affect the memory of the system administrator or any other user. So, assuming a computing system has been set up with multiple user spaces, and most programs and the operating system belong to an administrator pseudo-user, a program running in Bernard’s domain cannot affect the administrator’s memory space, specifically programs and the operating system. Malicious code can still affect Bernard’s data and any programs run exclusively by Bernard, but the rest of the system is protected.

10.

Explain why least privilege is useful, even if not perfect, for combating introduction of malicious code. What does it achieve, but what weaknesses does it still admit?

Chapter 4: A Horse of a Different Color

Analyzing Computer Security — Solutions Manual ., Inc.

Least privilege limits the current user to the minimum privileges necessary to accomplish necessary tasks. As with the previous question, assuming privilege levels have been set appropriately, an ordinary user can do only what is within his or her privilege set. Malicious code affects only what a user is privileged to affect. Note, however, the programmers sometimes find it easier to require that a program run with high privilege. For example, one application to offload and save the contacts information from a cell phone requires administrator privilege to run, perhaps because the programmer was too lazy to create data files within a user’s domain, instead of the system domain. If users were more critical of such poor programming techniques, programmers could not get away with such excesses. 11.

Ethics question: Suppose you wrote a nonmalicious virus, just to see if you could do it; it only displays a box on the screen saying it has been installed successfully, and then deletes itself. Is that ethical behavior? Justify your answer with principles of ethics, not just your own opinions. Now suppose that to try out your virus you inform a friend, attempt to pass the virus to her, and succeed. Is that ethical behavior? Justify your answer, again based on principles of ethics. Now suppose you release the virus without warning to a larger set of people. Is that ethical behavior? Justify your answer, again based on principles of ethics. At what point does your behavior change from ethical to unethical? Is the point based on size? Number of affected systems? Effect of virus? Something else? This question challenges the student to set and defend a point at which an activity changes from benign to malicious. It is easiest for the student to justify a position of no virus or all viruses, because justifying the change from acceptable to unacceptable is complicated. The critical feature of this question is not the particular answer, it is the justification for where to draw the ethical line. Any place for the line could get full credit as long as the student adequately justified that place from principles of ethics.

12.

Is anyone free of ethical responsibilities? That is, you owe a certain ethical duty to your friends, for example, regarding malicious code. Do you owe the same responsibility to other students or colleagues in your situation whom you do not even know? To neighbors? To people of your country? To everyone in the world? There may be a different ethical responsibility to some set of people than to others. However, common ethical principles include properties such as justice and fairness, truthfulness, nonmaleficence, and respect. These properties are not usually phrased as fairness or justice for friends but not for others; these are universals. Thus, if you have an ethical duty not to harm friends with malicious code, that same duty would seem to apply to everyone.

13.

Suppose a law were passed outlawing the writing or dissemination of malicious code. What would be a reasonable definition of malicious code? Who would enforce such a law? How would the enforcers identify malicious code to restrict? How much effort would be needed to enforce the law? First, notice the inherent limitation of this approach: There are currently laws against murder and theft, but these crimes take place every day. Thus, although laws are necessary, and the presence of a law does serve as a deterrent to many people, merely passing a law does not make unacceptable behavior go away. The definition of malicious code is hard. One definition could be code that does something other

Chapter 4: A Horse of a Different Color

Analyzing Computer Security — Solutions Manual ., Inc.

than its developers advertise, but all such descriptions are necessarily abstractions: They describe in general what code does, but cannot detail instruction-by-instruction what occurs. Code that sorts a list of names may record a name in temporary storage during the sorting process, but does that constitute something other than what is advertised? A critical element would seem to be maliciousness or malicious intent, but intent is hard to determine, and maliciousness can be subjective. Thus, as with many laws, defining the proscribed behavior precisely is challenging. Students should not be expected to produce a perfect definition, but they should show that they have thought of complications such as those defined here. Who would enforce the law is not easy, either. Code can be written by a citizen of country A while working in country B and having a negative effect on someone in country C. Laws are local to countries and other specific jurisdictions (such as states, towns, or districts). Which law applies to writing malicious code: A, B, C, or another? What incentive is there for country A to prosecute someone when the harmed individual is in country C? But what legal standing does that person, or country C, have in country B? Again, in this question the student is not expected to have the “right” answer; rather, the student should show evidence of having thought about and understanding these complications. 14.

Explain why a zero-day attack is potentially so harmful. A zero-day attack is potentially harmful because it is unknown, users will not know to watch for it or its effects, anti-malware programs do not search for it or its signature, and software writers do not have a control or countermeasure to prevent it, limit its harm or recover from its effects.

15.

You want to induce unsuspecting victims to install a piece of malicious code. Design a ruse you would use. Document what you will do openly and what hidden activity will go on. Present the open part of your ruse to a classmate, whose task it is to determine your hidden methodology. (This interaction can be just using words; you do not necessarily need to write code.) Your classmate can ask you questions, which you may but need not, answer truthfully. Have your classmate document what your ruse is. Compare your answers. This exercise calls for the student to be imaginative. Credit should be given for a compelling, believable ruse; credit should also be given for a classmate who asks probing questions that would expose many ruses, especially if the classmate can ask questions that reveal situations in which the original student has been untruthful.

Additional Exercises 1.

Computer crime was relatively obscure, infrequent, and of low harm until the late 1990s. From then, the amount of harm increased dramatically. Explain what changed around then to cause the amount of damage to increase sharply. The Internet, and especially web browsers and web sites, became popular. During this time, shopping, banking, and other financial activities began to take place on the web. Prior to that point, money exchange on the web was uncommon, so there was little financial motive for an attacker. The expanded flow of money attracted individual criminals and organized crime who could profit financially.

How does file space separation help to reduce the impact of malicious code attacks?

Chapter 4: A Horse of a Different Color

Analyzing Computer Security — Solutions Manual ., Inc.

With file space separation, a user or process can modify only files belonging to that user or process, so the effect of malicious code is limited. Although users can effectively destroy their own code and data, they are prevented from making longerterm changes that will recur at the next session or for other users. 3.

Critique the assertion that stealth is immaterial after the attacker has been able to place code on the victim’s machine: the harm is done by then. True, after the victim has been infected, the code has accomplished its purpose. However, by analyzing the attack code, the victim may be able to learn who wrote the code, how it infects, how it operates, and how it propagates, which can reduce the overall impact on others.

One reason to study virus patterns is to be able to build tools that recognize malicious code efficiently. What is another reason? When one virus strain shows strong similarity to another, it leads analysts to suspect that the second strain is related to the first—perhaps they are from the same author, or from an author who acquired access to the earlier strain’s code. This coincidence can help to track the code source in order to identify and stop the author(s).

One security expert argues that integrity checks such as error-correcting codes do not affect malicious code attacks; they merely provide a secure channel so that malicious code is transmitted with all its maliciousness intact. Argue against that expert’s assertion. Although the expert is correct as to the protection of code, integrity checks, coupled with some strong proof of origin, validate that the code is unchanged from the moment the trustworthy originator affixed the code. Such checks would mean, for example, that an attacker could not merge malicious code with a desirable (nonmalicious) utility routine.

Explain why the autorun feature is potentially harmful and violates security principles. Autorun violates the principle of complete mediation, because the code begins execution immediately, without the user’s being able to decide whether the access or execution should be allowed.

Describe the characteristics of method, opportunity, and motive as they apply to a malicious download from a web site. The attacker’s method—ability to write malicious code and host it on an appealing web site—is relatively easy. Even though modest programming ability is needed to write malicious code, malware code packages are for sale openly, so the attacker does not even need to be able to program. Opportunity is similarly simple, because web sites with a popular theme (for example, a news story about a celebrity) attract hundreds of thousands of visitors. Motive is at the attacker’s discretion.

What vulnerability is being exploited in the case of a fake malware detector? The vulnerability is gullibility or lack of education. The user naïvely assumes that the malware detector is working on the user’s behalf.

Chapter 4: A Horse of a Different Color

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 5: The Keys to the Kingdom This chapter introduces the student to subtle malicious behavior. Everybody has heard of some form of malicious code, so students may well think that is the only—or primary—concern for computer security specialists. In this chapter, students can begin to think like an attacker, in part because the case study is close to students’ frame of reference.

Instructional Suggestions The case study for this chapter is a good point at which to reinforce the method– opportunity–motive paradigm. The high school students had a familiar motive: to have better grades, and they apparently were not above using unethical, if not illegal, means to do so. Their method was an inexpensive, readily-available piece of hardware. Although many people are unaware that such devices exist, the device is not illegal or otherwise controlled, so it is not hard to acquire if one knows of one. As the case study points out, there were articles in major newspapers (including the Washington Post, which serves the region of that high school), and word could have spread to students in other ways. Another characteristic of this example is that the alleged perpetrators were not sleazy, criminal types, nor faceless attackers from halfway around the world: they were presumably students indistinguishable from the hundreds of others in the school corridors. Thus, this story sets an important context for the nature of computer attacks: Literally anybody with motive could be an attacker. It is worth exploring with the class what other techniques could have accomplished the attackers’ objectives. Notice that this attack did not require great skill, detailed knowledge, specialized training, large amounts of time or money, or sophisticated software. What other attacks could have succeeded? It is also worth examining the ethical issue. What the students apparently did is clearly wrong. But is this a case, as the school administrator asserted, of students violating the school’s trust? Would trust have been an issue had a teacher left a paper gradebook on the desk throughout the school year? That is, does the school and its administration share some responsibility for failing to provide adequate protection? Invite students to suggest parallel situations (an unlocked car, for example) and discuss reasonable expectations. This chapter is also a good point to raise layers of overlapping controls. This computer should have had physical protection, which it apparently did not. Access to the grade manipulation program should have been protected by a strong authentication technique which, in this case, was infrequently-changed passwords. There should have been checks and balances of the grades, so that whenever a grade was changed, a record was produced, and someone reviewed those records. Perhaps periodic spot checks of grades should have been done, not just to detect unauthorized changes, but to ensure the correct functioning of the program. The list of possible countermeasures can go on. Students should be expected at this point to be able to generate a list of attackers, potential vulnerabilities, and countermeasures. Students should also be able to assess the strength of a countermeasure, as well as its cost or inconvenience factor, in order to justify which countermeasures to employ against which threats.

Chapter 5: The Keys to the Kingdom

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter Exercises 1.

List three ways authorities at Churchill High School might have discovered the installed key logger device. (a) physical inspection, (b) review of logs of installed devices, (c) review of computer’s hardware configuration. Admittedly, these last two ways are most appropriate for situations in which a problem is suspected, and so they would probably not have been used at Churchill High School before the incident was discovered. However, the grade recording software should have generated a trace of grade changes, and some administrator should have been responsible for reviewing the trace. Unusual data in the trace could have led an administrator to investigate the integrity of the machine, leading to any of the three ways listed at the start of this answer. The grade program could even have displayed a message “Welcome, instructor Blue. Your last access to this program was at 3:48 pm on 23 Oct 2011.” On seeing an incorrect access time/date, an instructor should have investigated the reason for the wrong date. Student answers for this exercise could involve the direct approaches of (a) through (c), or students could raise the larger audit and accountability issues, which should lead to the necessary physical or logical examination.

In similar situations, authorities have responded by banning use of all USB devices. Would that have been an effective countermeasure in the Churchill High School case? Why or why not? As the case study points out, key loggers can be hardware or software. Banning all USB devices, which would likely have been inconvenient and unpopular with the faculty, would have protected only against a hardware logger. Furthermore, the policy ban is hard to enforce, especially if users do not fully understand the threat or agree with the countermeasure as appropriate for the threat.

In similar situations, authorities have responded by disabling or sealing off all USB ports. Would that have been an effective countermeasure in the Churchill High School case? Why or why not? The points of question 2 remain.

Churchill High School responded to this incident by requiring all faculty members to change their passwords for the grade management application at least every 120 days. Was that an effective countermeasure? Why or why not? Suppose the frequency of password change was different, for example, 7, 30, or 60 days; would each of those numbers have been more or less effective? Justify your answer. Because 120 days is roughly half of a school year, that leaves a half-year window of vulnerability. Many schools issue grades every six or nine weeks, so grades from several cycles would be at risk. Reducing the period to less than the length of a grading cycle would contain the accuracy problem to one cycle. However, more frequent password changes are not popular with users. Students should be expected to point out these problems with the frequency issue, but ideally students should suggest a stronger alternative, such as two-factor authentication.

In this chapter an example social engineering attack was given as someone who called a company IT administrator, alleging to be a senior executive who had

Chapter 5: The Keys to the Kingdom

Analyzing Computer Security — Solutions Manual ., Inc.

could not access a necessary file. Describe how the administrator should have responded. First, determine a means to verify the authenticity of the caller. Second, determine that an actual emergency exists. Finally, provide only minimum access on an emergency basis. For example, if the caller said he needed access to a presentation file to show a customer, the administrator could have made just that one file available, and not full access to all the caller’s files. 6.

Another social engineering example described in this chapter involved someone who called an ordinary employee (not an administrator) asking the employee to run a particular command. What steps could or should an ordinary employee take in such a situation? Because of their training, experience, and responsibilities, we might expect IT administrators to be more skeptical of social engineering attacks than ordinary employees. How could a company improve its ordinary employees’ reactions to social engineering attacks? Employees who regularly interact with the public can be trained to suspect social engineering attacks. Employees who infrequently interact with the public can be trained to be skeptical of outside calls from unknown parties. Unfortunately, research on human behavior has shown that people are seldom skeptical and too often willing to help.

Assume Churchill High School has called you in to help analyze the situation after it became aware that improper grade modifications might have occurred. Your job is to determine what might have gone on, what actually did go on, when, how, and to what degree. Focus only on the technical aspects of the issue, not on whether the students were guilty or how they should be dealt with. What steps would you take, and in what order? Be careful that your actions do not harm data that may be needed for later analysis. What can you conclude definitively, and what can you infer with partial confidence? A student’s answer might include some of these steps: (a) Begin a record of all actions taken and results obtained. (b) Forensic examiners typically make a duplicate copy of a disk image and work only from the copy, so as to be sure not to corrupt data. (c) Search for a log of who accessed the grading system and when. Look for unusual entries, such as outside of school hours. (d) Check to see if the system supports remote access. (e) Check for accesses other than during times near the end of a marking period. {You would expect teachers to post period grades right at the end of a marking period; you would expect any grade corrections to occur immediately after the grades are distributed, right at the start of the next marking period. Changes at times other than these call for scrutiny.} (f) Presumably there are backups of the grades. Comparing backup copies will let you determine when changes occurred. Investigators build a timeline to help them combine facts and draw inferences.

A grade management program might have several roles for users, such as administrator, department head, teacher, guidance counselor, student. For each role, list briefly the actions a person in that role should be able to perform; for example, a single student should be able to see but not modify his or her grades, or a department head should be able to see the grades for each student in any class. It may be useful to start with one role and then consider adding or deleting actions for the next role. Are the actions of any role a subset of any

Chapter 5: The Keys to the Kingdom

Analyzing Computer Security — Solutions Manual ., Inc.

other? If so, which? Is the suggested set of roles complete; that is, are there other roles with other actions? If so, what? Students should be able to define several roles of limited privileges, such as student, teacher, subject administrator (such as chair of the mathematics section), general administrator (such as a principal), system administrator, guidance counselor. 9.

Synchronous password-generating tokens are subject to a condition called clock drift: One token’s clock may run slightly faster than another, so the token generates password n+1 when the base authentication system expects password n. Present an algorithm for addressing drift. In your algorithm, consider two cases: normal, slight drift (for example, less than 1% variance), and massive drift (for example, changing every 10 seconds instead of 60). One algorithm receives a generated password and compares it to the current password plus one, two, or more passwords earlier and later than the current password. If one of these password matches, for example two later, the system accepts the password and records in an internal table that the sender is two passwords ahead. Subsequently, the system will expect all passwords from that sender to be two or more passwords forward. In this way, the system resets its concept of “now” for that user to be two passwords ahead. Over time, “now” may drift by a position or two, and the system records the shift. A change of more than one or two positions signals an unacceptable error condition, and the system rejects it.

10.

For purposes of this question, assume the students did what they were alleged to have done at Churchill High School. Clearly, the students’ actions were unethical and perhaps even illegal. It would be infeasible for a school to enumerate all unethical things students might do and present a comprehensive list at the start of school. Suppose the school communicated nothing to students at the start of the school year about proper behavior. Would the school be justified in punishing these students? Why or why not? Under what conditions would the school have been justified in punishing a faculty member or school administrator? Under what conditions would the school have been justified in seeking recourse against the company that manufactured the grade management program? Justify your answer. The ethical principles of honesty and fairness suggest that it is unethical for students to change properly-assigned grades. Thus, the students could be punished for engaging in acts that most people would deem unethical. If the faculty members were negligent in allowing students access to the computer on which grades were maintained, or in failing to prevent relatively simple access control and authentication attacks, they could be punished for failing to perform duties expected of them. If the company’s product allowed compromise of the grading system through relatively easy attacks that the company should have foreseen and countered, the school system might seek recourse under the U.S. Uniform Commercial Code that requires products sold to be fit for their intended purpose.

11.

Design a scheme by which a credit card user can authenticate to a credit card processing company so that a merchant could be confident the user was the rightful owner of the credit card. Your scheme should have three aspects: first, for a face-to-face transaction, for example, a purchase in a store; second, for a voice transaction, for example, a purchase by telephone; third, for an electronic

Chapter 5: The Keys to the Kingdom

Analyzing Computer Security — Solutions Manual ., Inc.

transaction, for example, a purchase on the Internet. Describe the difficulty for the user, for example, your scheme might require the user to carry a token that might be inconvenient to carry. Describe the delay factor, if any, in the merchant’s seeking authentication. This question is focused on providing assurance to the merchant. Does it also protect the user or the credit card processor? Why or why not? The credit card company could require a user to supply a PIN for each use of the card. The PIN should be changed frequently, to reduce the impact of an attempt to impersonate the user. Changing PINs is inconvenient to users, but that inconvenience should be weighed against the time and expense of recovering from a fraudulent use. In the United States, consumers are liable for only the first $50 of fraudulent charges, so users have little incentive to prevent fraud, and credit card companies are reticent to do anything that might cause consumers to reduce their use of credit cards. 12.

Countermeasure actions are described with words such as prevent, detect, and deter. For example, using a one-time password might prevent certain kinds of attacks, whereas changing passwords from time to time deters some attacks. Suggest three countermeasures Churchill High School might take and indicate whether each can prevent, detect, or deter an incident. In the Churchill High School example, describe a situation in which deterring an incident may be adequate; describe another situation in which detecting an incident after it has occurred may be adequate; describe another situation in which preventing an incident is necessary. Explain your answers, justifying why deter, detect, or prevent is appropriate. Churchill High School could require a two-factor authentication scheme, so that intercepting passwords would not allow student access. This scheme would prevent compromise. As an alternative, the school could require faculty members to change their passwords every two weeks, for example, which would deter compromise, or limit the window of vulnerability to two weeks. If the students left their keyboard logger in place, however, they could intercept new passwords, thereby defeating the advantage of a new password. The school could institute a process in which faculty members were shown a banner stating the date and time of the last login, and the faculty members would be required to review the dates and times, to confirm the last accesses. This countermeasure could detect unauthorized access.

13.

In this chapter, we have presented the students at Churchill High School as having obtained physical access to a computer. Could they have changed grades without physical access? Why or why not? If the system allowed remote access (for example, through the Internet), and if the students could guess or otherwise learn of a faculty member’s access credentials, they could complete this attack without physical access.

14.

Give an example of security through obscurity in a computer situation. Give an example of security through obscurity in a situation not involving computers. Is security through obscurity an effective countermeasure in either example? Why or why not? The high school could have concealed the name of the grade management system, so that faculty had to type a command such as PLXCGS at the run command prompt. Not knowing the name of the grading system would presumably prevent students from accessing it. The keystroke logger would obviously overcome this

Chapter 5: The Keys to the Kingdom

Analyzing Computer Security — Solutions Manual ., Inc.

ineffective measure. More importantly, however, faculty might have trouble remembering the name, so they might write it on a note attached to the shared computer for accessing the grading system; in this case, the obscurity fails for anyone who can read that note. As a non-computer example, hiding a house key under a plant next to the door is an example of security through obscurity. Skilled burglars look in such places.

Additional Exercises 1.

Explain the reasoning behind the warning “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” With unlimited physical access, an attacker can remove, replace, modify or add hardware (including changing circuit boards or an internal disk drive), as well as adding any software of the attacker’s choosing.

Sidebar 5.3 considers four dimensions to insiders’ activity: the organization, system, user, and environment. We sometimes think of the computing system as the point of access control. Explain how the organization, user, and environment all play roles in preventing harm from inappropriate insider actions. The insider exercises a moral or ethical role: insiders typically know what is unacceptable. They also judge when an inappropriate action is called for to meet a higher goal, for example to prevent greater harm or to accomplish a critical task. The organization sets policy and condones certain behavior, both of which send messages to insiders of what will be tolerated. The environment includes laws and standards of professional practice, as well as a climate in which certain behavior is acceptable.

Some people think technology is the answer to all computer security needs. However, human guards serve a useful purpose in physical protection. Explain advantages of a guard over technology. A guard can make a decision based on circumstances. A piece of technology will always make the same decision given the same inputs, for example, excluding anyone without an access badge. A guard, however, can decide, for example, to allow firefighters or rescue persons access in case of an emergency.

Are there any places in Figure 5-2 at which data are not exposed? Justify your answer by describing an attack that would reveal data for each point you conclude is exposed, and by explaining what prevents such data leakage at the points you say are not vulnerable. Data are exposed at all points. Hardware attacks like the key logger can obtain data at all physical devices; intercepting software can obtain data at and above the BIOS level.

Chapter 5: The Keys to the Kingdom

Analyzing Computer Security — Solutions Manual ., Inc.

Interlude A: Cloud Computing These interludes provide you and your students extended problems on which to refine analytic skills. In this instructor’s guide we offer suggestions on how you can structure student activity. These interludes might involve any of the following approaches: •

Class discussions

•

Individual homework assignments

•

Group homework projects

•

Small group discussions or homework assignments followed by in-class debate and discussion

•

Research papers (on some specific point of the general topic)

•

Discussion involving recent news articles

Instructional Suggestions As you know, there is no simplistic formula for security analysis. You do not simply start at the top of a checklist and work your way through the questions to an ultimate, comprehensive security analysis when you reach the end. However, some structures help to focus thinking. Threats The three basic security threats are loss of confidentiality, integrity, and availability. Is any one of these more significant or more vulnerable than the others? •

Confidentiality: Are data more or less exposed to confidentiality threat when stored in the cloud? What are the specific confidentiality threats? (For example, user A sees user B’s data, A knows the existence or size of B’s data, A knows the time or frequency of change of B’s data.) Do these conditions change depending on whether a cloud is private or public? If part of the “data” placed in the cloud is an application for personal or general use, what is the confidentiality threat?

•

Integrity: Are data more or less exposed to integrity threat when stored in the cloud? To what specific threat are data exposed—loss, deletion, modification, loss of precision, loss of accuracy, loss of fitness for purpose?

•

Availability: A strong motivation for cloud computing is enhanced availability: data are available 24 hours a day, from anywhere. This availability advantage can become a difficulty if users rely on availability that then fails. (For example, a business traveler depends on having access to important documents in the cloud and is devastated if availability fails.) A second advantage of cloud computing is backup: the cloud service provider assumes responsibility for duplicating data to guard against loss. However, in some cases, data are modified at one point but the modification is not detected until much later. Without cloud computing, people save unlimited backups of old data, so it is possible to revert to a saved copy from weeks, months, even years earlier. The cloud provider may not save such extensive backups, so recovery from a week ago may be possible, but not a year ago. This becomes an availability issue, as well as an integrity issue. Similarly, cloud providers are not infallible: Even though providers claim they create automatic backups, they might fail to do so.

Interlude A: Cloud Computing

Analyzing Computer Security — Solutions Manual ., Inc.

If the user depends on the cloud provider for redundancy, the user might not make personal backups or might not do so as frequently or as regularly. Some analysts also consider threats of failed authenticity and failed non-repudiation. How could these threats be realized in cloud computing? Harm A different way to approach security analysis is by examining potential harm. In chapter 1 we classified harm in four categories: interception, fabrication, modification, and interruption. •

Interception: What is the potential harm from intercepted data?

•

Fabrication: Is the harm from fabricated (forged) data greater or less with cloud computing as compared to standalone users or access within a closed network?

•

Modification: Can the harm from unacceptable modification be detected, prevented, or recovered from more or less easily in cloud computing? One aspect of modification is quality or correctness. In the software as a service cloud computing model, applications run “in the cloud.” That is, the provider supplies the application, and the provider changes or upgrades the application as needed, sometimes without warning. Suppose a new version of an application contains a flaw that appears only for one user’s data. In a standalone situation, the user might first test a new application version before using it widely, and so perhaps the user might detect the flaw before it could cause a problem. In cloud computing, the user would not necessarily know there had been a change, and might detect the error only after significant time and data corruption.

•

Interruption: What harm occurs from interrupted access to data for seconds? Minutes? Hours? Days? Permanently? Obviously, different examples apply to different time periods. And availability threats may not be simple on–off issues, but instead cases of degraded access. We all experience web sites that are slow. Depending on the case, we either leave or stay. If we abandon the web site and go on to something or somewhere else, we may return to the slow site later. In some cases we need to stay but become frustrated. Now extrapolate from web sites to entire computing tasks. How does performance (speed) relate to different computing tasks, such as writing a report, uploading photos, downloading a video, filing a time-critical document, performing a critical task? How does the situation differ if the interaction is not individual–to–computer but computer–to–computer, for example in a process control system (think of a nuclear power plant or a traffic control system) or a financial process, such as processing electronic payments or stock transactions?

About harm in general, how can someone quantify or evaluate an individual’s harm or the harm of a specific example? How does harm vary across the three classes of cloud computing: private, community, and public? Threat Agents A third approach to security analysis involves looking at who or what could or would cause harm.

Interlude A: Cloud Computing

Analyzing Computer Security — Solutions Manual ., Inc.

•

Threat agents: Explore the sorts of harm from different kinds of sources: natural disasters, unplanned or unanticipated failures, fallible humans (insiders and outsiders), malicious insiders, competitors, hackers, criminals, terrorists.

•

Method: What knowledge would be necessary to mount a successful attack on an entire cloud, on a single cloud user? How could that knowledge be obtained? What resources (for example money or computing equipment) are necessary or desirable to complete an attack?

•

Opportunity: Is a cloud more or less exposed than a conventional installation in terms of allowing a threat agent access?

•

Motive: Who has motive to attack a cloud computing participant: for example, a competitor, disgruntled employee, criminal, hacker, student, co-worker? Is the motivation stronger or weaker in a cloud setting than in a conventional situation?

Controls and Countermeasures How can cloud computing be protected against threats? Here are some possible countermeasures. •

•

Redundancy. A primary advantage of cloud computing is separation of the user from the technology that meets the user’s computing needs. A service provider is responsible for ensuring access in sufficient quantity. The provider performs backup through geographically dispersed copies. The provider also monitors performance and adjusts access to resources accordingly. o

A provider cannot always plan for abrupt spikes in demand, such as access to a news site when a major event occurs, or a sudden rush of visitors when a new product is launched. Furthermore, not all applications are designed to support widely shared access. (Such an example occurred with a database management system unable to handle many concurrent accesses the day tickets went on sale for all events of a particular Olympic season. Even though the provider was ready to increase computing or storage resources as needed, the bottleneck was the application that constrained access to the ticket database.)

Users may seek to protect against failure of one cloud provider by spreading access across several providers. On closer inspection, however, distinct providers may share certain critical elements, for example, one telecommunications path to the Internet; thus failure or saturation of that one path affects all providers, and using two providers is no more protection than one.

Administrative/management controls. Cloud providers typically sign legal contracts to provide service. o

No provider can assure 100% service, so these contracts often include a “service level agreement” (SLA) that binds the provider to provide access, for example, 99.9 percent of the time, which means a down time of about 9 hours per year. Even a 99.99 percent SLA means up to about 50 minutes per year of denied access. The first question of such contracts is the compensation: If the user gets a rebate for fees for failure in excess of the SLA amount is that adequate compensation? Double the fees? Is an

Interlude A: Cloud Computing

Analyzing Computer Security — Solutions Manual ., Inc.

outage of 1 minute per week different from 364 perfect days and one outage of 50 minutes? Is financial compensation a just remedy: That is, if people are injured because of car accidents when traffic lights fail, what good does money do?

•

After the contract ends, what happens to the data? The cloud provider might delete the data, but as we have pointed out throughout this book, “deleting” a file does not necessarily eradicate it irretrievably. On the other hand, it may be infeasible for the provider to find and expunge all traces of a client’s data throughout the cloud.

Suppose a cloud provider is acquired by another company, and the new company wants to alter the terms of the contract. Will these new terms be acceptable to the user? Rejecting new terms and moving to another provider may be an expensive proposition for a user, but that weights the negotiation in favor of the provider.

Access control. A cloud environment potentially involves sharing of resources, so access control is critical. At what level is access control applied: the individual data item, change (that is, tracking each change to a data collection), file, version? Is access controlled by name, identity, role, time, source? How is identification authenticated? What record is kept of accesses? o

•

An advantage ascribed to cloud computing is sharing or collaboration: two users can share use of one object, for example, two people editing a common report. Ignoring the obvious problem of competing edits, consider the additional access control demands of collaboration. A and B have to be aware of changes each makes. If there are ten collaborators instead of two, who coordinates and approves changes? Who determines security constraints? How easily and quickly can access controls be implemented in the cloud?

Architecture: Users can review a system to detect potential single points of failure, that is, one resource, data item, person, application, device or anything else whose failure would allow system or security failure. Multi-story buildings generally have two or more stairways so that if one is engulfed in fire, occupants can escape using another stairway; thus failure of the one stairway does not cause a larger problem. How does cloud computing protect against single points of failure? How does it increase a user’s exposure to single points of failure?

Cloud computing users voluntarily relinquish control, which can be both good and bad:, because the cloud provider may be more effective and secure than some users but less so than others. Users seldom have the opportunity to monitor the cloud provider’s operation to determine the strength of the provider’s security. Computer security involves balancing risk and reward. Explore the rewards (advantages) of cloud computing and compare them to the risks. Even if the benefits outweigh the disadvantages, controlling and limiting these disadvantages is still beneficial. However, users may be limited in what controls they can implement in a cloud computing environment. What things can a user accomplish individually, outside the cloud environment(for example, encrypting sensitive data before allowing it to be

Interlude A: Cloud Computing

Analyzing Computer Security — Solutions Manual ., Inc.

placed in the cloud), and what must a user depend on a cloud provider to implement successfully?

Interlude A: Cloud Computing

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 6: My Cup Runneth Over This chapter covers a topic to which almost all students should relate easily; who among us has not written a program with a loop that ran one cycle too many or a data structure shorter than its use would require? Because the concept is simple, students should have little trouble understanding the attack, the vulnerability, and simple countermeasures.

Instructional Suggestions Buffer overflow attacks are so commonplace that it is worth exploring some of the security websites (for example, www.threatpost.com, www.f-secure.com, or www.microsoft.com/security) to find current examples to add to the class discussion. This chapter will be challenging for students with a weak understanding of machine organization, assembly and machine language, and compiling, linking, and loading. Understanding code as data is a key concept; at this point, students need to know that material. Students who need help should look for additional reading; a quick search for university courses on machine organization and compiler construction will lead to current textbooks for a student to consult. The chapter is long, but an instructor may want to concentrate on some of the earlier material. The basic definitions of buffer overflows are important, and students will appreciate the rather detailed examples of buffer overflows in the Morris worm, Code Red, and Conficker. However, students without a strong background in machine organization and operating systems may be challenged by the latter sections on separation and memory control (especially paging and segmentation). Although these are important countermeasures, in some classes, it may be appropriate to skip these latter sections, and proceed directly to general access control.

Chapter Exercises 1.

Chapter 3 presented the concept of an organized software development process. Identify three points during the process in which the dialer overflow vulnerability should have been detected. System specification, design review, unit testing

Explain why the effect of a buffer overflow is hard to predict. A buffer overflow allows data to spill into an unintended memory area. Because of dynamic program loading, different code may be in the area during different executions of the same program that allows the overflow, so different dynamic programs may be affected. Furthermore, the space into which the overflow occurs may be executed immediately after the overflow, sometime later, or never, depending on when or if the affect code is executed.

The C language permits the programmer to have direct access to memory constructs. For example, with C you can obtain the address of any variable. Explain how having the address of a variable can enable an overflow attack. Explain why a similar approach is not feasible in a different language such as Java or Pascal. With the address of a variable, the attacker can direct the overflow into a specific data item. The attacker has an advantage when that data item is on the stack or

Chapter 6: My Cup Runneth Over

Analyzing Computer Security — Solutions Manual ., Inc.

heap, because then the attacker can overwrite data items such as a caller’s return address. Languages such as Java and Pascal do not pass a variable’s address to the executing program, so it is more difficult for the attacker to control where an overflow happens. 4.

Two pairs of base/bounds registers can enforce separation between code and data. Explain why they cannot protect against stack or heap overflows. Essentially four independent code or data areas exist: program code, program data, the stack, and the heap. One pair of base/bounds register can relocate and protect any one of these areas, but two pairs cannot protect all four areas at the same time.

Simplistically, code should not be modifiable and data should not be executable. To explain why this simplistic division fails, cite an example of a situation in which it is necessary to modify something in the region in which code resides or to execute something in the data area. Describe a method by which code modification or data execution can occur in limited circumstances. Executing data is used by interpreters and interpretive languages. For example, consider a mapping program with streets, establishments (businesses), geographic features (such as rivers) and political markings (such as town names or county boundaries). Data embedded in the graphic image may control how that image is displayed, perhaps displaying or hiding some of these features. In this way, the data control how the display program executes, and the data themselves are executed in a sense. More complex situations involve an interpreter that executes a rich set of commands in a data area, so that the data space becomes a specialized programming languages of a sort. As for modifying the code area, an example would be dynamic loading of program pieces. Based on conditions encountered during execution, one routine may load and transfer control to another. During loading, the fetched code is simply bits, indistinguishable from any other code or data, but those bits are then executed as instructions.

How are the stack and heap normally prevented from colliding? These two data structures grow toward each other from opposite ends of a memory region. The operating system maintains two pointers, one each to the stack and heap, and the system checks to ensure that neither area runs over the other each time the operating system advances one of these pointers. Of course, if malicious code modifies the hardware pointers without the operating system, no checking occurs.

Suggest a means by which a calling and called procedure can coordinate their use of parameters. That is, describe how they can agree on the number, type, and size of parameters they exchange. Is your approach enforceable? That is, what code would need to be executed and in which routine (or both) to ensure that both sides meet the conditions of the agreement. Discuss the efficiency of your code approach: On a single call–execute–return sequence, is your code executed once or more than once? The caller could supply as its first parameter a list of the subsequent parameters, their number, type and size. The called routine knows what parameters it expects and can compare its expectations to the incoming list. Obviously, the caller could lie, saying there were three parameters and putting only two in the shared parameter region. Similarly, on return, the called routine could lie by defining too few actual

Chapter 6: My Cup Runneth Over

Analyzing Computer Security — Solutions Manual ., Inc.

values. (The cases of too many values are less of a problem, because neither side will try to fetch more data than it expects.) The problems of length mismatch (especially for situations like null-terminated character strings) also exist. Basically, if caller and called routine are honest (and not flawed), cooperation is easy, but each routine needs to be skeptical of the other because of flaws and malicious misrepresentation. 8.

Can a program prevent integer overflow conditions? That is, can a compiler generate checking code to ensure that if two numbers are to be added, their sum is within the size of the result field? Justify your answer. Essentially, this problem reduces to needing to determine the sum of a result before computing it. As a trivial example, working with decimal numbers for simplicity, assume A and B are to be added, and the size of the result field is only two decimal digits, that is, between 0 and 99 (disregarding negative numbers for a moment). The compiler could generate code to take A, for example 75, and determine the maximum value for B that would not cause an overflow, in this case 24. The compiler code could then compare the actual value of B against 24, and signal an error if B were greater than 24. This fetch–subtract–compare action involves three additional actions for a simple addition; introducing signed numbers adds more actions, and multiplication adds even more. Thus, although a compiler could add this checking capability, doing so affects performance. Some hardware processors generate an error indication in the event of an integer overflow.

Representing a variable-length character string as a single-byte length count followed by the n characters of the string imposes a length limit on character strings. Why? Describe a solution that would permit strings up to a larger length. Can your approach allow strings of unlimited length? Why or why not? The length limit depends on the size of the field for the length count, in this case a single 8-bit byte, or 255. Longer strings could be handled by a longer length field. For example, the length byte could be interpreted as follows: 0–254, string’s length; 255, string’s length indicated in next two bytes. For those two bytes (the maximum value of which is 65,535), 0–254, ignored (handled by a 1-byte length); 255–65,534, string’s length; 65,535, string’s length indicated in next three bytes; and so forth. Although this scheme accommodates a string of any given length, manipulating a longer string takes longer.

10.

Before the Morris worm, there were few formal mechanisms for system administrators to coordinate with other administrators throughout the network. Research the development of a network of administrators. Describe the changes that occurred after the Morris worm, both in the United States and internationally. Both the United States and other countries developed CERTs, Computer Emergency Response Teams. Each CERT became a country-specific focal point to which system administrators could report incidents and receive reliable information on the activity of a specific incident. Furthermore, the CERTs could communicate with cohorts in other countries.

11.

Several major malicious code attacks have involved stealth, in such a way that the code took action to prevent its detection. First, describe steps an attacker can take to avoid detection. Then suggest ways analysts can detect such attacks. Of particular interest to investigators is to be able to analyze the attack

Chapter 6: My Cup Runneth Over

Analyzing Computer Security — Solutions Manual ., Inc.

code itself. How can the attacker try to prevent analysts from seeing code, and how can analysts obtain copies of the code to study? An attacker wants to leave as little of the code behind as possible. An attacker may encrypt parts of the attack code stored on disk, decrypting them only when they are to be executed. Alternatively, the attacker can fetch the malicious code from a remote site and erase the fetched code after it has been executed. In these ways, even if an analyst knows malicious code has run, the code, or at least large portions of it, is not stored on disk for the analyst to extract and examine. The analyst can try to obtain a memory dump to analyze code when it is in active execution. Especially malicious code will monitor the system and try to determine if an analyst is looking for code to analyze; if the malicious code thinks it is under surveillance, it can take defensive or offensive action, for example, defensively erasing its image or offensively erasing the entire contents of the disk. Thus, the analyst needs to be careful not to cause harm. 12.

Is there a point to an attacker’s causing an overflow that only causes a system to crash? Explain your answer. Yes, an attacker might only be interested in denying service to the victim, so causing the system to crash (repeatedly) achieves this result.

13.

For many attacks, including the four major attacks described in this chapter, the exploited vulnerability was known and protections were available before the attack took place. The attacks were successful because people had not applied the protections. Discuss why people might have failed to apply protections. Some users naïvely think they are not subject to attack, or think that protection such as anti-virus software will prevent attack. Others do not understand how to apply protections or think it is too difficult or time-consuming. Some people use illegal copies of programs or the operating system, and they cannot readily obtain updates for these illegal copies. Sometimes protection code interferes with other installed software; this problem is especially important in installations with many users, such as companies or schools. The administrators of large systems sometime test protection code in a controlled environment to determine that it will not interfere. Distribution of updates in these environments can be delayed for days or even weeks until the testing can be completed, leaving users vulnerable.

14.

Discuss the application of the four kinds of separation (from Rushby and Randell, described in this chapter) to protect against overflow attacks. What should be separated from what? Is each of the four a feasible way to separate to prevent overflow attacks? Explain why or why not. You want to separate a region that might be subject to an overflow from affecting adjacent regions, whether the region is in hardware, main memory, or an auxiliary storage medium. Memory is the most tricky of these, because it contains different kinds of objects from different sources. Ideally you would want each data item— variable, stack entry, heap entry, array, data structure, string—isolated from all others. Temporal separation is of limited use, because the accesses are concurrent, not spaced over time. Physical separation, which can be supported by hardware, is easier for major objects, such as the code of a routine or the entire stack, than for individual data items (variables). Cryptographic separation is very effective, but the

Chapter 6: My Cup Runneth Over

Analyzing Computer Security — Solutions Manual ., Inc.

time to encrypt and decrypt can be prohibitive for individual data items. Logical separation is what is typically practiced. 15.

Fences and base/bounds registers provide limited granularity; that is, access is either within the fenced area and therefore permitted or it is outside and prohibited. Finer granularity would act more like an access control matrix: Accesses by certain users and in certain ways and to certain destinations are permitted. Explain how finer granularity could improve a system’s ability to prevent overflow attacks. This question is similar to question 4 regarding two pairs of base/bounds registers; at some point, the number of pairs of base/bounds or fence registers becomes infeasible to use effectively. Remember that for each hardware protection (such as a base/bounds pair), some code in the instruction must inform the hardware which pair to use for checking. If there are two pair for instructions and code, respectively, the selection of the pair is automatic: the instruction pair for code fetches, the data pair for data accesses. As the number of pairs increases, something must dictate the use of pair A or B, etc.

16.

Is a canary a preventive or detective countermeasure? Explain your answer. A canary in a stack detects that an overflow has occurred because its value has been changed.

17.

Least privilege states that a subject should have access to only the minimum resources necessary, even if additional accesses would be harmless. Explain why minimal access is better than expanded access to harmless resources. What may seem like a harmless resource today may become significant tomorrow.

18.

The four access models—access control matrix (one), access control list (one per object), rights list (one per subject), and capability (one for each allowed subject–object–mode combination)—accomplish the same end but use different representations. Describe the overhead of implementing and using each of these models: That is, how much memory is used, how much processing is needed, and is the processing done once or every time an access occurs? This question is not asking for precise answers in number of bytes or microseconds of processing time. Instead, comment on whether space or time are used effectively: Is there wasted space or frequent, redundant computation? A full access matrix is usually sparsely filled, because most users have no access to other users’ resources. Even for a single user, many of the entries are redundant: a user may have full read/write access to all of the user’s data, so many of the nonempty entries will be RW. Access control lists are often short: one set of rights for the object’s owner (controller, creator), perhaps one set for the system administrator, and a final set for everybody else. Thus, there tend to be many short access control lists. Typically there are fewer subjects than objects, so there are fewer privilege lists than access control lists. However, a privilege list can be long, because it names all the objects to which a subject has some allowable access. Thus, searching a privilege list can lead to long access mediation. Capabilities are specific to one subject and object, so they are short but also numerous. Again, searching to locate the right capability can be time-consuming. No one data structure is perfect for all situations.

19.

Is it feasible or desirable to preclude all overflow attacks? Explain your answer.

Chapter 6: My Cup Runneth Over

Analyzing Computer Security — Solutions Manual ., Inc.

Although desirable, precluding all overflow attack is difficult, as several previous questions have established, and the time to prevent such attacks may be too serious an impact for many systems. A combined strategy of preventing easy attacks, detecting others, and being able to recover from successful ones may be best. 20.

Discuss methods for identifying the cause of an intermittent overflow error. For example, a 20-element table may overflow only when usage is heavy, which complicates the task of testing a system to determine this vulnerability. This is a hard problem, as are all intermittent error situations. Exhaustive data collection and analysis is the primary approach.

Additional Exercises 1.

Can the concept of the stack guard be extended to other possible overflow conditions? Explain your answer. A guard could be placed at the end of any critical data structure, where it would help detect overflow situations. For example, after an array of 20 elements, a guard could show that the 21st position had been written to, or at least, that some process had written into that location.

An analyst finds that a particular program does not check the appropriateness of a subscript’s value before writing to an array. Is it wise for the analyst to continue to investigate to determine if the program has other flaws? Explain your answer. The first step is for the analyst to advise the owner (developer, distributor, or administrator) of the program of the flaw. The owner is most likely to have access to source code to be able to locate the full source of the error and to craft a comprehensive correction. Of course, nothing precludes the analyst from continuing to investigate and updating the owner as new findings appear.

Explain why overwriting the return pointer is a useful strategy for an attacker. The return pointer determines to where execution will pass when the current program exits. By altering that value, the attacker can redirect execution to any point and instructions of the attacker’s choosing.

Chapter 6: My Cup Runneth Over

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 7: He Who Steals My Purse … Two primary countermeasures are introduced in this chapter: physical security and encryption. Physical security is only addressed in the sense of redundancy and backup, but encryption is treated fairly deeply.

Instructional Suggestions Depending on the instructor’s preference, a diversion into other aspects of physical may be interesting at this point. Precisely because it involves tangible things, physical security catches some students’ interest. Different kinds of weather damage, fire, other environmental harm (noxious gases), heating and cooling, water, and electrical supply are all topics with which students have some familiarity but enjoy more. Encryption can be frightening to students, especially those who think they cannot understand mathematics. You can show a substitution and transposition without any reference to mathematics or mathematical formalisms. (See, for example, additional exercise 14.) Then, once students can handle the simple concept, you can go to the book for a slightly more rigorous presentation. The descriptions of DES and AES carefully avoid any mathematics or formalism in their presentation. Do not accept an assertion from students that they need mathematics to understand encryption; to devise a solid encryption, probably yes, but not to understand and use this tool. Also, rather than overwhelming students with all encryption at once, in this book the encryption topics are carefully scattered, so that students can digest each piece individually and in a context in which that one piece contributes significantly to a countermeasure against some threat.

Chapter Exercises 1.

Who should be responsible for protection of data on a laptop computer: the person or company that owns the laptop or the person who created the data? Justify your answer. Consider the different perspectives of an individual, a company employee, or a student using a laptop shared with other students. There is no definitive answer. If you borrow a pen from a friend and the pen runs out of ink, is it your friend’s fault? Your fault? Most people would say neither is at fault. (A friend would, of course, say “this pen is pretty old; I don’t know if it has much ink left.”) So there is no definitive moral or legal responsibility. However, prudent people protect their own data, even if the protection is redundant. For example, a company might arrange to backup all data on company computers once a week. But an employee working on a critical document might also write a copy to an offline device several times a day to guard against unlikely hardware failure. And the company cannot always protect its devices: The office environment may have guards and controlled physical access, but the company cannot protect a computer that an employee takes on a business trip.

The case at the start of this chapter said the FBI had examined the stolen-andrecovered laptop and concluded it did not appear that any data had been accessed. How could you determine whether data on a laptop had been accessed?

Chapter 7: He Who Steals My Purse …

Analyzing Computer Security — Solutions Manual ., Inc.

Among the metadata of a file structure are fields that show the date and time of last access and modification. Although these fields are not totally reliable (because they are just data on the disk so they can be overwritten by anyone who acquires necessary privileges), they do detect ordinary accesses. Furthermore, “most recently used” fields in applications such as word processors or media players report accesses. Data for these most recently used fields are stored in the registry, making them hard, but not impossible, for ordinary users to cover up. Thus, the FBI used a phrase like “did not appear” to have been accessed, instead of the stronger “was not.” Following these kinds of clues is part of the fascinating but diligent work of a forensic examiner. 3.

There has been discussion of a remote “kill switch” by which a computer could be disabled remotely if stolen or lost. We consider such a possibility in the cyber warfare interlude. What are the pros and cons of such a technology? Pro: Can stop access involved in an attack; can block known harmful activity even before the harmful activity begins. Con: A kill switch is just a signal. If the defenders can send that particular signal, so also can attackers who learn what the signal is. Thus the kill switch can in fact be used against the defenders. A second disadvantage is that a change of power can lead to unscrupulous people as the defenders, who will use the kill switch to suppress opposition. Finally, the kill switch mechanism can misfire, so a machine can shut down for no apparent reason.

In this book we do not devote much attention to physical security, not because it is unimportant but because we want the main focus of this book to be on the technical aspects of computer and information security. List four different physical approaches to protecting computing equipment against theft. (1) Guards. (2) Fences, walls, and other physical barriers. (3) Locks to secure equipment against being carried off. (4) Alarms to signal if equipment is moved. (5) Inventory numbers and personal responsibility for individual computers. (6) Indelible labels and markings showing ownership of the equipment.

Is encryption a suitable substitute for regular backups? Why or why not? Encryption protects against unacceptable access, read or write. Backups guard against loss of data. Encryption does not protect against device failure, accidental erasure, incorrect modification by an authorized party, and so forth.

Is encryption a suitable substitute for theft protection? Why or why not? Encryption ensures that if data are stolen, they are not intelligible to the thief. It protects the content of the data, but not the device on which the data are stored. If the threat is an unauthorized person’s access to the data, encryption can be a suitable protection. If the threat is loss of the physical device containing the data, encryption is not adequate.

Describe a situation in which useful information is conveyed to an attacker through a characteristic of encrypted communication, such as frequency or duration of communication, that does not depend on breaking the encryption. Sidebar 7-6 gives one example of inferring data, although it involves breaking the encryption of one term. A better example is also from wartime. Assume a small post is located in a place named Ford, and it usually sends only a few messages a day. Although encrypted, these messages can be seen by the enemy. One day, however, Ford starts to send a large volume of messages, many of which go to another post in

Chapter 7: He Who Steals My Purse …

Analyzing Computer Security — Solutions Manual ., Inc.

a place named Dodge. The high volume of Ford–Dodge traffic alerts the enemy that something is happening involving these two posts. 8.

Explain why a one-time pad is considered to be a perfect cipher. What conditions are necessary in order for a one-time pad to prevent an unauthorized receiver from breaking the encryption? To be effective, the one-time pad must never repeat the pad sequence. That is, two identical snippets from the pad sequence must ultimately differ. In this way, knowledge of a previous part of the sequence will not help the attacker infer the current part of the sequence. The difficult part of a one-time pad is arranging for sender and receiver to have identical copies—and the only copies—of the sequence.

A random number generator is decidedly nonrandom. Most operate by producing a long series of numbers that eventually repeats, and once the repeat cycle begins, it continues indefinitely repeating with the same period. Suggest a source of a truly random number stream, that is, a series in which a number may (probably does) repeat, but not according to a pattern. That is, if the stream contained …13, 27, 99 …, 13 may reappear, but it will not necessarily always be followed by 27 and 99. A good source of random (that is, nonrepeating) numbers is physical phenomena. Imagine a device that photographs traffic on a street once every thirty seconds. An analyst finds a single spot on the photographs and emits a 0 if there was no vehicle in that spot and a 1 otherwise. The sequence of 0s and 1s is truly random, because the presence of a car at one moment does not determine whether there will be one in the next photograph. This process can be speeded up for a longer stream of numbers. Different physical phenomena can be sampled, such as particles in the air, bits on a digital communications line, or voltage on an electric cable. When searching for random bits, analysts may disregard high-order bits that change infrequently or over a small space. For example, an electrical supply may be nominally 110 volts, but in fact the voltage fluctuates slightly as devices start and stop, so the voltage is actually 110 volts ± 5%, or 104.5–115.5 volts. A good device might measure the voltage to a precision of 4 decimal places, producing reading such as 109.4732, 112.6332, 107.9525, 105.0000, and so forth. The portion to the left of the decimal is uninteresting because it will always be between 104 and 115. But the digits to the right of the decimal presumably are any value from 0000 to 9999 with no pattern and with equal probability. Thus, using those digits would produce a random sequence.

10.

Suppose you work for a company that handles sensitive data relating to their customers. Your boss is opposed to employing encryption to protect the data. List three justifications you could give for why using encryption would be a prudent business decision. (1) Encryption is the recognized best practice for protecting the confidentiality of data. Because other people use this strategy, using it can reduce a company’s legal liability in the event of a breach (that is, the company can show it was using ordinary and prudent practices to protect its data). (2) The cost of encryption is low, both in terms of cost of encryption devices or programs, and in terms of impact on computation. Thus, its cost is commensurate with the risk of data loss. (3) Available devices operate almost invisibly, so employees do not need extensive training or understanding to use encryption effectively.

Chapter 7: He Who Steals My Purse …

Analyzing Computer Security — Solutions Manual ., Inc.

11.

Cite an application in which a stream cipher is more appropriate than a block cipher. Cite an application in which a block cipher is more appropriate. Stream encryption is more appropriate to streams of data that may appear in irregular bursts of various lengths, for example, text messaging. Block encryption is more appropriate to large, high volume transmission, such as transfer of data files.

12.

Kerckhoff’s principle was described in Chapter 5 in the section on (lack of) security through obscurity. Explain how that principle applies to the design and use of encryption. Kerckhoff, and later Shannon, concluded that it is best to require the least amount of secret information, equivalently to assume that the adversary may obtain the secret information. Before the use of computers, encryption was performed using mechanical devices. Code masters assumed that these devices, or their design, would at some point fall into the hands of the enemy (as, in fact, happened with the Enigma machines in World War II). What protected the communication was not the secret design of the machines, but rather the secret encryption key that could be closely guarded by a small number of people. Thus, the strength of the encryption did not depend on the secrecy of the machine or its algorithm. Current cryptanalytic practice is to release the design and even justification for the design of an algorithm, for public scrutiny and criticism.

13.

Explain why choice of a fixed key length (56 bits) was a limiting decision for the DES algorithm. Since the 1970s, when DES was invented, the speed of computers has increased significantly, and even then improved speed was a reasonable assumption. Trying all possible 56-bit keys was infeasible on 1970-era hardware, but as the speed of computers improved, the time for exhaustive analysis went down. With a fixed key length, the amount of work remained constant, but the time to perform that work declined. If the key length had been variable, not fixed, the amount of work could have been increased as the time to perform a unit of work decreased, thereby keeping the exhaustive analysis infeasible.

14.

If it took only four days for 1998-era hardware to crack a 56-bit DES key, how long would it take to crack a 64-bit key with similar hardware? This question seeks to determine whether the security of DES would have been substantially stronger if 8 bits had not been reserved (but never used) for parity. For a rough calculation, assume 256 (≈ 7 * 10 16) comparisons were done in 4 days (= 345,600 seconds ≈ 3.5 * 105 ). Thus, (7 * 1016) / (3.5 * 105) ≈ 2

(≈ 2

1011 comparisons could be done per second. A 64-bit key would require 264 * 1019) comparisons, which would require (2 * 1019) / (2 * 1011)

or 108 seconds, which is 1157 days, or slightly over 3 years. 15.

If it took only four days for 1998-era hardware to crack a 56-bit DES key, how long would it take to crack a 112-bit triple DES key with similar hardware? A 112-bit key would require 2112 (≈ 5 * 1033) comparisons, which would require * 1033 ) 1014 years. (5

Chapter 7: He Who Steals My Purse …

1011 ) or 1022 seconds, which is approximately 3

Analyzing Computer Security — Solutions Manual ., Inc.

16.

Describe the difference between confusion and diffusion in a cryptographic system. Explain why strong cryptosystems today employ both. Confusion changes bits, diffusion moves those changes throughout the ciphertext. Confusion requires the attacker to infer the change algorithm; diffusion requires the attacker to determine where those changes have had effect.

17.

Explain how encryption can lead to a loss of availability. Encrypted data can be obtained only with the appropriate key. If a key is lost or otherwise unavailable, the encrypted data cannot be retrieved.

18.

Explain how encryption can protect data integrity. Encryption protects integrity by ensuring that meaningful change is impossible. An attacker can intercept ciphertext, and perhaps change 0x10010110 to 0x11010110, but the attacker has no idea whether that change has affected an account number, amount, name or blank space.

19.

Discuss how the concept of work factor applies to cryptanalysis. Work factor is illustrated in exercises 14 and 15. It indicates the amount of effort or time the attacker must employ to break an encryption. Notice, however, that calculations such as in exercises 14 and 15 assume the attacker uses the brute force approach of trying all keys. If the attacker knows something about the key structure, such as that it begins with 0x11110000, or that it contains three times as many 1s as 0s, that knowledge reduces the effort correspondingly. We must expect the attacker will take an easy way if there is one to be found.

20.

Explain the difference between breaking an encryption algorithm, deriving an encryption key, and determining the plaintext that corresponds to a given piece of ciphertext. Breaking the algorithm means finding a way to decrypt more easily than trying all keys, for example, by trying all keys on a reduced (hence, faster) form of the decryption, or needing to try only certain keys. Breaking an algorithm affects all encryptions performed under all keys. Deriving an encryption key allows the attacker to easily decrypt any text encrypted under that key, but text encrypted under other keys is safe. Determining the plaintext that matches a particular piece of ciphertext affects only that plaintext, unless the attacker can use that knowledge to infer the key.

21.

Suppose a company chose to use encryption to protect its most sensitive information, and the only person in the company who had the encryption key was the chief technology officer. Present an argument for why that key should be available to other people in the company. Describe a strategy so that the key could become available if needed but would generally be protected against casual access by people in the company. This question relates to exercise 17. If the CTO becomes incapacitated, the key is unavailable, as are the encrypted data. Some companies maintain a backup copy of the key that is stored in a secure place, such as a safe under control of the president (with suitable backup in case the president is unavailable). Other companies split the key into pieces, and entrust each piece to a single trustworthy employee or, for redundancy, give piece 1 to employees A and B, piece 2 to C and D, and so forth. To recover the full key requires the cooperation of (A or B) and (C or D) and …

Chapter 7: He Who Steals My Purse …

Analyzing Computer Security — Solutions Manual ., Inc.

22.

If a company has encrypted its most sensitive data with a key held by the chief technology officer and that person was fired, the company would want to change its encryption key. Describe what would be necessary to revoke the old key and deploy a new one. All data encrypted under the old key must be decrypted and reencrypted under the new key. Cryptanalysts recommend periodic change of encryption keys to preclude key guessing and key analysis attacks, but the need to decrypt and reencrypt limits the practicality of changing keys associated with stored encrypted data. Key change is feasible for data in transit (meaning that the data will be decrypted immediately on receipt).

Additional Exercises 1.

You have received an encrypted file and know it is of a text document written in English. How would you quickly test that piece of ciphertext to determine if it was likely the result of a substitution cipher? Assuming the file was English prose, symbols should appear in frequencies corresponding to the frequencies of letters in standard text. Analyze the frequencies of the symbols and see if there is a correspondence to the distribution of letters in English. From that distribution you may be able to infer which symbols represent certain letters.

You have received an encrypted file and know it is of a text document written in English. How would you quickly test that piece of ciphertext to determine if it was likely the result of a transposition cipher? As with exercise 1, count the frequencies of letters. In this case, not only should the some characters match the distribution of standard English prose, but the letters themselves should appear with the expected frequency.

Suggest a source of a very long sequence of unpredictable numbers to which both a sender and receiver could have easy access. Assume both sender and receiver have access to copies of the same book. You could agree to take every n-th letter, for example, beginning on a particular page, translating letters to numbers.

Name a data item whose lifetime (amount of time for which confidentiality is needed) is approximately one day; name another whose lifetime is closer to a year, and another whose lifetime is closer to a century. Corporate earnings reports, financial forecasts, events that would affect the stock market have a lifetime that lasts only until the data become public. Data on patents and inventions are sensitive only until the patent is filed or the device is made public. Personal data, such as taxes or salaries and health or adoption records, may require protection throughout the life of an affected person, which is closer to a century.

Are DES and AES stream or block ciphers? These algorithms are primarily block ciphers, in that each is designed to encrypt a block of a particular size as one unit. Both have variants that allow them to be used for stream encryption.

If the useful life of DES was about 20 years, how long do you predict the useful life of AES to be.

Chapter 7: He Who Steals My Purse …

Analyzing Computer Security — Solutions Manual ., Inc.

Using an analysis similar to main exercises 14 and 15, the student should estimate the work factor to break a 128-, 192-, or 256-bit AES key using brute force. 7.

A one-time pad must never repeat. Yet, in a series of fixed-length numbers, for example 8-bit bytes, some number must ultimately repeat, because there are only 256 8-bit numbers (0–255). Why are these two statements not contradictory? The requirement for a one-time pad is that the series must never repeat, not that a single number must never repeat. Thus, a single number, for example 42, may repeat many times in the sequence, or even a finite series of numbers, for example 42, 29, 137, 255, … as long as the duplicate series eventually differs, for example, 42, 29, 137, 255, 81 … and 42, 29, 137, 255, 93 …

Is there any harm in using an undisclosed encryption algorithm? That is, algorithms such as DES and AES have been openly published for scrutiny and criticism. Is it cryptographically sound to use an algorithm that is not publicly disclosed? There is no harm in using a nonpublic algorithm. An advantage of public scrutiny is a search for flaws by experienced cryptanalysts. A second advantage of a public algorithm is that the implementation in software can be similarly scrutinized for errors in implementation. These two checks are not available for private algorithms. But assuming the algorithm is sound, there is no harm in using a private algorithm. A minor advantage is that an intercepting cryptanalyst cannot even use an off-the-shelf implementation to perform a brute force key search.

Two encryptions are not necessarily better than one. That is, in certain situations, E 1( E 2(x) ) for two algorithms E 1 and E 2 is less secure than a single encryption, such as E1(x). Describe a situation in which this is true and explain why it is so.

Hint to the student: Think of double and triple DES. Triple DES can be used with two functions in E-D-E mode. But in the degenerate case in which the two functions are the same, E( D(x) ) = x, so the two encryptions cancel each other out, so two encryptions yield no protection at all. More generally, the two algorithms may interfere, so one removes some of the protection applied by the other. 10.

Does encryption go “stale” or degrade over time? No, encryption is just as effective later as it was when applied. However, encryption algorithms can be analyzed and found to be flawed, encryption keys can be obtained in many ways (such as bribery or theft, as well as deduction), and attackers can work on encrypted data over time, all of which may reduce the effectiveness of encryption. These factors reduce the security of certain instances of encryption, but the encryption process itself does not weaken over time.

11.

Is encryption a suitable substitute for authentication? Why or why not? Encryption achieves authentication, in that the only way to decrypt ciphertext is with something the receiver has, the decryption key. Thus, possession of the encryption key is a form of authentication (not really a substitute).

12.

Is encryption a suitable substitute for access control? Why or why not?

Chapter 7: He Who Steals My Purse …

Analyzing Computer Security — Solutions Manual ., Inc.

Encryption can accomplish access control, in that presumably only a bona fide recipient will have the key to permit decryption. Strength of the access control is limited by key management problems. 13.

In a known plaintext attack, the analyst already has the plaintext that corresponds to a piece of ciphertext. Thus, it would seem that decryption is a moot point and there is nothing more for the analyst to do. What is the goal of a known plaintext attack? The goal of a known plaintext attack is not to recover ciphertext, which the analyst already has, but to infer the key or decryption method, with which the analyst can decrypt other ciphertext, to which the analyst may not have the corresponding plaintext.

14.

Does a substitution need to be a permutation of the plaintext symbols? Why or why not? No. Many examples of encryption involve substituting one set of symbols to another. For example, Sir Arthur Conan Doyle used stick figures of humans as ciphertext in “The Adventure of the Dancing Men.”

15.

DES and AES are both “turn the handle” algorithms, meaning that they use repetition of some number of very similar cycles. What are the advantages (to the implementer, users, cryptanalysts, etc.) of this approach? For the implementer, the implementation is easy, as the basic step is surrounded by a repeat loop, amplifying the strength with little additional programming work. For the user, the strength presumably increases with each turn of the handle. For the cryptanalyst, however, the repetition can complication work. The analyst starts by tracing the algorithm’s impact on a single bit through the steps of the algorithm. Then, however, the analyst’s work goes on and on with each iteration.

Chapter 7: He Who Steals My Purse …

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 8: The Root of All Evil Rootkits are potentially a new concept to students, who may already be familiar with other forms of malicious code, such as viruses and Trojan horses. This chapter gives students the sense that malicious code can do almost anything, and do so undetected and undetectable.

Instructional Suggestions Although a significant theme in this chapter is operating system design, and especially trusted operating system design, students do not need a strong foundation in operating systems to understand it. It is useful to take a little time to explain the concept of system calls, the system interrupt handler address table, and primitive functions such as memory and file management. Although these are not difficult concepts, they may be new to some students. A productive class discussion can be based around “trust”: what qualities or evidence make us more or less trustworthy in a particular situation? Start with a bank: what physical features lead to trust (and what, such as heavy marble columns, may lead to trust with little substance or justification)? Continue the discussion to buying a car: how much of the sales agent’s talk generates trust? What else leads to trust? Finally, students might identify, at a high level, the security-relevant actions or functions of a modern operating system.

Chapter Exercises 1.

Explain what system resources a rootkit can monitor and control by hooking to a hardware function. Hooking to a hardware function is extremely potent for a rootkit, because it means the rootkit code can monitor and control anything that hardware function can, which is generally all system functions and resources.

Why does a rootkit take such extreme steps to remain undetected? A rootkit is ultimate power, so the attacker wants to preserve that ability as long as possible. Not showing its presence helps the attacker retain the infection.

Is there any system data a rootkit cannot intercept and filter? If so, what? Perhaps the only uninterceptable data is direct hardware to hardware interaction, for example, the result of execution of each instruction. If an instruction is “add A and B, placing the result at C,” the rootkit can control the values of A, B, and C before and after the instruction’s execution, but the rootkit cannot alter the execution of the instruction itself. Thus, an instruction to change hardware execution mode or privilege level, activate an I/O device, or power the machine off cannot be altered by a rootkit. However, the rootkit can alter the flow of a program to prevent such an instruction from being executed. A hardware condition—such as execution of an undefined operation code, transfer to a nonexistent memory location, division by zero, or component failure—would generate an exception that the rootkit could not prevent. However, the rootkit could change the software executed to handle such an exception.

Chapter 8: The Root of All Evil

Analyzing Computer Security — Solutions Manual ., Inc.

The Sony XCP rootkit installed itself the first time a user loaded a Sony CD in a computer’s drive. Why did the code not simply run off the CD each time the CD was inserted to play music? Two reasons: First, for efficiency, it is faster to have the code installed once and simply invoked each time a music CD was inserted. Second, a user who copied just the music of the CD, not the rootkit code, could redistribute that music; computers into which such a CD was inserted would play the music normally, just as they would for any non-Sony CD.

As shown in the Sony example, rootkit writers have no advance knowledge of what operating system developers will do. Space the rootkit takes for its use may later be used by the operating system for another purpose. What can the rootkit writer do to reduce the likelihood of conflict with future operating system development? The rootkit can call system functions to acquire space dynamically for its routines, because many operating system functions are loaded into any available space.

Layered operating system design by itself does not eliminate the problem of rootkit introduction and installation. Explain how layering reduces the likelihood of such infection. Layered code can be protected by layers: more critical layers require greater privilege to execute and modify. Although installation of functions into a critical layer is not impossible, the rootkit writer has more difficulty operating as an undetected privileged process.

One debate in the security community concerns open and closed design. In an open design (of which Linux is the predominant example), all the source code is available for inspection by anyone, whereas closed design (practiced by most of the commercial operating system community, including Microsoft and Apple) keeps source code hidden. Obviously, access to system code helps rootkit writers. Explain how open design helps people who would defend against rootkits. With an open design, a user can detect modifications by comparing the running version of the operating system against the known, open design. Such a user can also reinstall pieces of the system at any time. This checking requires a knowledgeable user, although utility routines can do the real work.

How does a security kernel help protect against infection by a rootkit. A security kernel is the code that implements functions essential for enforcing security. For obvious reasons, it should be solidly protected against modification, so even if an attacker attempts to develop and install a rootkit, the kernel will prevent activity that could compromise security.

A critical component of trusted system development is multistate hardware: two, or preferably more, levels of privilege enforced by hardware. Explain how multiple privilege states can help counter the threat of rootkits. As described in exercise 6, the rootkit author will have trouble acquiring privilege to install the rootkit.

10.

How does the trusted path concept help reduce the threat of rootkits?

Chapter 8: The Root of All Evil

Analyzing Computer Security — Solutions Manual ., Inc.

Trusted path is a unique, unforgeable path from the user directly to the security kernel. This pathway is established before other code is activated, so the rootkit has to be activated after the user is already in control. The user can be called upon to decide which functions should or should not be allowed, and a knowing user could block a rootkit’s functioning.

Additional Exercises 1.

Could a computer program be used to test for rootkits automatically? That is, could someone design a program that, given a computing system (for example, the executable code of all system routines) would respond computing system (for example, the executable code of all system routines) would respond yes or no to show if the system contained a rootkit? Justify your answer. Highly likely not. Fundamentally, the Harrison-Ruzzo-Ullman (see [HAR76]) result shows the undecidability of the general security question, although that result also admits that specific security questions are decidable. Beyond the theoretical limitation, however, is the multitude of ways a rootkit can attach and the behaviors one can exhibit. There is no simple characterization of rootkit behavior that would let a program identify all and only the rootkits; rootkit functions such as enumerating files and sizes is close to normal system activity.

Is a log of system activity likely to show the time, date, and source of a rootkit’s installation? Why or why not? This evidence would help to defeat the rootkit’s stealth, so a rootkit creator would likely disable system auditing while installing as much of the rootkit as possible.

If a mobile phone can be infected with a rootkit, could the control system of an automobile or a nuclear reactor? Why or why not? Why might such infections be more difficult than mobile phones? In theory, yes, any computer control system could be infected. Mobile phones are widely available at low price, so rootkit writers can get systems with which to experiment. Many mobile phones (especially smartphones) are designed so their operating system can accommodate add-on applications. Thus, a process is present on many mobile phones to acquire and install additional software. Finally, to support the add-on application market, the interfaces to mobile phone operating systems are well defined. By contrast, automobile and nuclear reactor controller systems are not so well documented, and some even run relatively unknown, scarcely publicized, proprietary operating systems. Physical and logical access to reactor control systems is generally limited, and although automobiles are readily available, the access to the operating system (USB port? Networking?) is less evident. Thus, rootkits are less likely on automobile systems or reactor control systems. That having been said, however, it is by no means impossible for such a rootkit to be installed.

One factor enabling rootkit development and introduction is software complexity, although complexity is not necessarily a cause of rootkits. List countermeasures against software complexity. (1) Good software engineering design principles: modularity, cohesion, low coupling (similar to least common mechanism), and limited purpose. (2) Rigorous software development scrutiny: effective design and code reviews, strong configuration management, code-to-documentation comparison (complex code is hard to describe

Chapter 8: The Root of All Evil

Analyzing Computer Security — Solutions Manual ., Inc.

functionally or mechanically, so complexity can show up in the documentation). (3) Careful configuration control and analysis of changes (because changes can become a weak point at which the code’s actual effect differs from its original designers’ intentions). 5.

Consider an ordinary door lock. How does it reflect the reference monitor concept? First, door locks are engineered to withstand physical attacks; they are constructed of hardened metals and the attack securely to doors and door frames; thus they are tamperproof. Second, door locks implement a solid unit to prevent access when locked; it is infeasible to bypass or disable the lock. Finally, locks are relatively simple objects: a series of pins that rise and fall as a key is inserted; only with the right key do the pins rise to the correct height to permit the lock’s cylinder to turn and the lock to open. Thus, a lock is simple enough in design to permit (and to have permitted, over centuries) full analysis of the lock’s operation.

Why is security as an add-on more difficult to achieve than security integrated from the early stages of design? Any add-on has to fit in with the existing design. Thus, a design such as the hierarchical design of PSOS described in this chapter is unlikely because the basic design will not provide for a new hierarchical layer with security-critical functions. Even procedure interfaces will be fixed without consideration of parameters that should be included for security purposes.

Suppose you wanted to make a trusted coffee cup. What would such a concept mean? How would you justify that your cup was trusted? “Trusted” does not exist in a vacuum; it means trusted to meet its requirements (to adhere to and enforce a security policy, in the context of a “trusted operating system” or “trusted program.”) The first step, then, is to define the requirements of a trusted coffee cup. A coffee cup is intended to hold hot liquids, to allow one to drink those liquids, and to be safe for use. Next, from those primitives, you could derive specific requirements such as strength of materials, a structure to permit holding by hand and drinking, and construction from food-safe materials. Then, you would develop (implement) the coffee cup and devise a means to build confidence in the cup’s trustworthiness. Finally, you would address assurance. You might find an independent review body to assess your design, implementation, and construction. You might distribute cups to people and ask them to record their trust in the cups anonymously and without bias. You might perform your own testing, although from a trust perspective, your own testing is somewhat suspect, because you have a natural bias. You would publicize your assurance measures as a way to convince others to trust your cup.

Explain how the environment of use affects the design of software that enforces security. You might consider the difference between code in a standard computer versus a bank teller machine (ATM) versus a computer on a spacecraft orbiting Mars. Environment of use relates to the kinds of access attackers can achieve, equivalently, the nature of threats. Physical access, network interaction, and software introduction and download are all relevant to standard computers. ATMs are well protected against physical access and have a limited user interface. A computer on board a

Chapter 8: The Root of All Evil

Analyzing Computer Security — Solutions Manual ., Inc.

spacecraft is physically unreachable and has limited network access. Thus, the security designer must deal with a broader set of threats to a standard computer because of the greater environmental protections for the other two cases. 9.

Explain what activity a rootkit could monitor and control by replacing the address to which hardware transfers in order to process a system service function call, such as NTQueryDirectoryObject. Intercepting a system call means the system will invoke the rootkit instead of the code that would normally handle that function call. Typically, control is passed to the handler in privileged or supervisor mode, which means the rootkit has access to virtually all system resources. The rootkit can itself call the original handler code, but control will return to the rootkit, so the rootkit can adjust both the inputs going to that original handler and the outputs produced by it. Additionally, the rootkit can take essentially any other action.

Chapter 8: The Root of All Evil

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 9: Scanning the Horizon This chapter is the first to delve deeply into network security. To appreciate this chapter, students need to understand packets, addressing, services and ports, a conceptual model of network data communication (such as the seven layer ISO OSI model or the four layers of TCP/IP), and Internet protocols. Students do not need advanced understanding of that area, but they do need to know and understand the terms. Many students will probably already have that background, and if they are lacking some part of it, an extra one- or two-hour help session on basic networking concepts can supply the needed content.

Instructional Suggestions Examples here are relatively easy to obtain. The Nmap scanner is free (http://sourceforge.net/projects/nmap-scanner/) and with it you or the students can scan some example networks. Warning: Scanning is not universally permitted. If you have access to a network lab or a locally-owned network, or if you can obtain permission from a network administrator you can scan it. Although Nmap (or another) scanner will scan any logically accessible network, doing so without permission is both legally and morally problematic. If you can obtain them, scan reports from a loosely-protected (perhaps laboratory) network are instructive. Firewall configurations are more readily available. Network administrators are justifiably reticent to release their current configurations, but firewall vendors often provide sample configurations.

Chapter Exercises 1.

Is there any reason why a network administrator should ensure that known vulnerabilities are patched on hosts on a network that has no connection to any external network? Justify your answer. Network connections are not the only source of malicious attack code. Someone can bring in an infection on a removable memory device, or a portable host (laptop) on the network can be connected temporarily to an external network. It is even possible that a malicious insider would attack another host on the internal network. Therefore, all known vulnerabilities should be addresses, even on isolated networks.

One network administrator said, “My systems are used for nothing that could not be shared with the whole world; therefore, I have no need to stay current with vulnerability patches.” Do you agree with this administrator’s position? Justify your answer. Sharing data is not the only possible attack. A vulnerable host could be co-opted to use to attack other internal or external hosts. Such a host could be disabled, so its legitimate users would be denied service. Or a host could be compromised and used for illegal activity, leading to possible criminal liability for the host’s owner. Thus, the administrator’s position is not valid.

Is there any harm in running a service, such as FTP (file transfer) on a system on which there is no need for file transfers? Justify your answer.

Chapter 9: Scanning the Horizon

Analyzing Computer Security — Solutions Manual ., Inc.

The harm is that running the service implies executing code that checks for and handles FTP transfers. If that code is contains an exploitable flaw, the host running it could be compromised. 4.

Outline the points in favor of and against the following proposition: Port scanning involves only examining responses returned in response to queries anyone can make; therefore, it is an ethical activity. Pro: The probed hosts are not accessed beyond the probe, and only a nominal amount of computing time is used so there is essentially no impact. Also, the results are public. Con: This activity has no legitimate purpose to an outsider. Knowledge of a network configuration or vulnerabilities may tempt the person doing the scan to make further use of that information. Every probe executed carries a small but nonzero risk that the code executed will exercise a flaw unintentionally and cause harm to the computing installation.

Port scanning is possible because service daemons have to respond to all connection requests; that is, the daemon cannot distinguish a valid service request from a scan attempt based on just the first communication. (After obtaining information such as an identity and authenticator, a service daemon may decide to terminate the session.) Outline a protocol by which a server could defer revealing its identity (service, application name, and version details) until having been assured of the party requesting the connection. Also describe what effect this would have on requesters’ confidence. Briefly, the requester provides some identification and authentication as part of the opening step of connecting to a port. The receiving host determines if it wants to accept a connection from that agent; if not, the host does not reply, so the requester cannot distinguish between a service not supported and a server that denies a connection.

What is a justification for one network’s having two separate firewalls, the first a packet filtering gateway and the second an application proxy? The alternative would be to merge these two functions into a single unit. What advantages are there of the separation? These two firewalls operate at separate protocol levels, examining traffic for different content. The packet filtering gateway screens packets based on external information such as source and destination address and service. The application proxy operates at an application level based on content internal to a packet. With two separate firewalls each can be optimized for its function, and the code of each is simpler and therefore less subject to vulnerabilities.

A firewall’s security policy essentially defines good and bad traffic. Describe characteristics that a packet filtering firewall could apply to determine that a packet qualifies as good. Source address, destination address, service requested, amount of data.

The two schools of firewall design are default deny (deny anything not on an explicit list of approved traffic) and default accept (accept anything unless a specific rule bans it). List the advantages and disadvantages of each approach. Default deny: Pro: No need to enumerate specific harmful traffic to block. Will block unanticipated harmful traffic that is not on the explicit accept list. Con: Leads to false

Chapter 9: Scanning the Horizon

Analyzing Computer Security — Solutions Manual ., Inc.

negatives, that is, to rejecting traffic that should be allowed. Default accept: Pro: Fewer false negatives because anything unspecified is accepted. Con: Need to enumerate all bad patterns. 9.

Is a firewall an example of security by obscurity? That is, does a firewall merely conceal a network’s structure that a good attacker can determine in other ways? No, security through obscurity implies that security is achieved only because the attacker does not know what is being withheld. The firewall itself blocks certain kinds of harmful traffic, in addition to shielding the internal network architecture.

10.

A corporate administrator wants employees to concentrate on their jobs and not waste company time doing things that are not job related. Thus, the administrator has the corporate firewall block outbound web access to certain sites, such as the local newspaper or Amazon. Is this a good idea? Explain your answer. Be sure to consider technical and nontechnical aspects. (Technical aspects might include whether a firewall can do the intended blocking; nontechnical aspects might address employee morale.) Technical: Although the firewall might block direct access to the domain of the local newspaper, if the problem is employees reading sports scores or stock market prices, those things are available at other sites. Thus, this firewall blocks one path to the prohibited data, not to the data themselves (via any number of other paths). Nontechnical: If the concern is that employees spend too much time reading the local newspaper, employees can easily switch to another newspaper, blogs, or other sites unrelated to work. In some jobs, however, access to the local newspaper might be necessary, for example, to read an article relevant to the company’s business. Employee morale is harmed if employees feel the company does not trust them or gives them too little freedom.

11.

Explain why small size and simplicity should be criteria for a firewall’s design. A firewall’s decision is based on simple criteria, producing a definitive “admit” or “reject.” Small and simple routines can be analyzed thoroughly for implementation flaws, which adds assurance that the firewall is operating as intended.

12.

What security principles or objectives does a firewall achieve? A firewall is a good example of the reference monitor concept: it mediates all accesses, cannot be circumvented or tampered with, and is simple enough to provide high assurance of correctness. It implements separation and access control. A good firewall is easy to use.

13.

A router directs traffic between two (or more) networks; a packet filtering gateway firewall screens traffic in transit between two (or more) networks. These two functions seem similar enough that perhaps they should be implemented on the same device. Explain the advantages and disadvantages of merging them onto one platform. Pro: One platform. Con: Mixed functionality; potential for one function to interfere with other’s correctness; possible performance penalty.

14.

Other than the port scan sequence described in this chapter, list another condition that would cause a firewall to have to examine more than one segment of a communications exchange in order to determine whether the traffic was benign.

Chapter 9: Scanning the Horizon

Analyzing Computer Security — Solutions Manual ., Inc.

(1) An application proxy firewall needs a complete object for a protocol interchange; for example, an email proxy would need a full email message, including attachments, as well as source (sender) information in order to simulate the receiving end of an email transfer. (2) If the firewall also performs virus checking (which may not be a good idea), the firewall would need to see an entire object (file or document) to determine if the object is acceptable. 15.

Consider an example of a stateful inspection firewall that sees and allows one item, sees and allows another, and so on, until a critical number of items or some other condition indicates that the traffic stream is harmful and should be blocked. Is there any potential harm in admitting the initial pieces up to the point of determining the stream is harmful? Justify your answer. Suppose instead that the firewall quarantined possibly harmful traffic until having enough data to determine whether the stream should be blocked or admitted. List the advantages and disadvantages of quarantining potentially bad data? Depending on the nature of the harmful data, admitting only some of the data might also be harmful. If the nature of harm is just to overwhelm the recipient by volume of speed of data transmission, it may be difficult to set a threshold for a quantity that is too much; slightly less than the threshold may also be a problem, especially if two or more senders reach the threshold simultaneously.

16.

Why should ease of use (by the administrator to define the firewall acceptance rules) be a criterion for selecting a firewall? After all, network administrators are skilled professionals who understand details of networking, and they only have to set the rules once or modify them occasionally. Even network administrators are human. If a product is hard to use correctly, they risk making mistakes.

17.

Is network address translation an example of security by obscurity? That is, does the firewall merely hide addresses that an outsider might be able to find out some other way? What advantages accrue to a malicious outsider by knowing internal addresses? This question is similar to exercise 9. The firewall performs an important filtering function that does not depend on obscurity; in fact, the filtering is what protects the internal addresses, not that an outsider cannot determine them. Knowing internal addresses could let an outsider know the size, topology, connectivity, degree of use, addresses accessed, and perhaps even specific traffic to or from each inside host.

18.

What security principles does network segmentation satisfy? Separation, self-protection, and least privilege.

Additional Exercises 1.

How does a network architecture implementing a demilitarized zone (DMZ) reflect the design principle of least principle? Servers in the DMZ operate in an environment with the fewest capabilities and data items with which they can still perform their functions. Thus, a web server in a DMZ has access only to the web content it will distribute to requesting clients. A mail server holds a queue of messages received but not yet distributed to their final destination hosts. If any host in the DMZ is compromised, it can release only the data to which it has access.

Chapter 9: Scanning the Horizon

Analyzing Computer Security — Solutions Manual ., Inc.

Knowing that their products can be used for both good and bad purposes, vendors of products such as Nmap and Nessus sell such products, or would it be more ethical for them not to develop or market such software? Justify your answer. Ethically, the software vendors can consider the concept of greatest good to greatest number, or the general balance of usefulness to harmfulness. True, such products can be used for malicious purposes. However, the good uses outnumber the harmful ones, and one can even argue that a good use can prevent a harmful one.

The telnet service allows a remote client to perform a text-based interchange with any server at an identified address and port. Thus, an attacker can open a conversation with an email (POP) server on any host that runs a POP server daemon, even though email exchange is typically performed by an email client program, not the user directly. Why is direct human interaction allowed? Should POP sessions be restricted to email clients and email servers? Direct interaction is allowed for several reasons: (1) The POP protocol is defined in character text (ASCII) because the earliest email systems did not employ a user agent program; character-mode interaction has been retained for historical compatibility reasons. (2) To debug mail transfer agent implementations, it can be useful to have a human interface. (3) English language character-mode interaction is a convenient universal standard: mail agents communicate with a limited syntax, making them amenable for interchange between parties who do not even know any other English. (4) Distinguishing between a computer agent and a human is difficult. Speed is one obvious distinction, but slow communications lines can render that meaningless. Being able to compute something tedious (such as the sum of all bits in a message being transmitted) is another differentiator, but unless such computations are necessary for the interaction, they become an unnecessary protocol element and are often dropped in the protocol standardization process. Thus, the original, textbased interaction protocol will probably remain. As described in point (4), separating human from machine interaction is not simple, so restricting POP sessions to machines is probably not worth the difficulty.

Suppose an attacker has found a means to send packets through a firewall without those packets being inspected or blocked by the firewall. The site implements a DMZ containing a web server, but the firewall does not provide the addresses of the DMZ servers to outside clients. How can the attacker arrange to direct a packet to the web server in the DMZ without being able to address it directly? The firewall will direct web traffic (normally port 80) to the web server. Thus, the attacker simply addresses the packet to the known, external address of the web server using the HTTP port, and the firewall will obligingly redirect that packet to the web server.

A firewall can detect a port scan primarily by a number of session requests to different ports coming from the same address. Thus, the firewall has to collect several such requests in order to determine that a port scan is underway, by which point some of the earlier session requests have already been answered, so the scanner has some information. A firewall might be programmed to hold the replies to all such probes for a while, to allow time (and enough incoming

Chapter 9: Scanning the Horizon

Analyzing Computer Security — Solutions Manual ., Inc.

requests) to decided whether these are the first queries of a port scan or just a few legitimate connection requests. Is this a good idea? Justify your answer. It is not a good idea. First, it slows down the responses to legitimate connection requests, second it requires the firewall to hold a large amount of data until it determines whether a port scan is underway, third, port scans are infrequent relative to the larger amount of normal traffic, and fourth, the attacker (scanner) can adjust the pace of requests to be under the threshold the firewall considers to be evidence of a port scan. 6.

Ultimately, each user wants to be protected from harm. Therefore, it might seem reasonable to ignore network firewalls and simply protect each individual host with its own personal firewall? Is this a good idea? Justify your answer. This is not a good idea. First, certain hosts, such as an email server or web server, have specific roles, and they are best protected by firewalls operating at a particular level. Second, one firewall can protect an entire subnetwork. Third, the firewall is ideally situated to perform network address translation, which an individual host is incapable of doing for itself. Finally, the firewall concept is predicated on its being tamperproof, but a firewall running on a user’s general purpose computer is subject to subversion by anything running on that computer. Thus, although personal firewalls are useful for protecting specific hosts against particular threats, more general firewalls also have an important place in a security architecture.

Why is version number of a service daemon useful to an attacker? Why would a daemon want to provide the version number of its code to outsiders? An outsider can probe for or exploit vulnerabilities known to exist in particular versions of a service. Clients interacting with widely-used service applications can use features that exist only in certain versions of the applications.

Chapter 9: Scanning the Horizon

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 10: Do You Hear What I Hear? Wireless access continues to grow, as universities, companies, and government agencies convert from difficult-to-install cable to wireless access, and as coffee shops, bookstores, bars, airports, and libraries compete for customers by offering free WiFi. Of course, the lure of anything free outweighs any consideration of security risks. This chapter is intended to stimulate students’ thinking about protocols, and the details of security—why security is most appropriately left to experts.

Instructional Suggestions This chapter is one in which students can actually investigate, test, and change security parameters. Starting with the scanning tools of Chapter 9, students can explore the wireless networks to which they are connected. Using network connection tools, they can explore and evaluate their own security settings. In a security laboratory, students can go farther, to intercept communications, spoof SSIDs and MAC addresses, and intercept and overtake existing sessions. You should reiterate the caution that students should practice these techniques only in an authorized, controlled laboratory setting—not in the wild. You should also discuss the ethics of interception and intrusion, focusing on potential harm to others and universality (what would happen if everyone did it).

Chapter Exercises 1.

A common thought concerning privacy is “I have nothing to hide; why should I worry about interception?” Considering the Google Street View project from this chapter, is that a reasonable position to take? Justify your answer. Having nothing to hide does not mean we want to our public personae to be even more public. If an outsider can correlate network activity with physical address, the network user can be subject to receiving unwanted advertising through postal mail, telephone, and other media. Anonymous network access is difficult if a person’s network activity can be traced to a physical address.

What limits could be placed on the Google Street View collection activity so privacy rights of individuals would be appropriately protected? It depends on the purpose of the collection. If the goal was to survey degree of wireless network use by address, the collection could be grouped in clusters of ten houses. If the goal was to determine which network protocols were in use, that could have been done without reference to specific location. First, determine the goal of collection; then, structure an activity that meets only that goal.

Are there valid differences between the privacy rights of individuals and companies? Consider, for example, collection of data from wireless signals. Is it acceptable to collect data on companies that would be unacceptable to collect on individuals? Or is the reverse true, that collecting corporate data is less acceptable than collecting personal data? Justify your answer. Different countries’ laws treat people and companies differently. Students should argue this question based on principles of personal privacy: need to know, least invasive method, due process for obtaining, notice of obtaining, ability to see data collected and correct errors.

Chapter 10: Do You Hear What I Hear?

Analyzing Computer Security — Solutions Manual ., Inc.

Google was able to intercept wireless signals by using the program Kismet that receives and records all wireless traffic it can detect. Would making illegal possession or distribution of a program such as Kismet be a reasonable (adequate, effective, and proportionate) countermeasure against wireless interception? Justify your answer. Laws are not always effective: Most countries have laws against murder or theft, but these crimes are committed daily. Worse, detecting and prosecuting criminal use takes valuable police and court time. The Kismet program has valid uses, for example, testing wireless networks or recording transmissions for archival purposes (obviously, only with permission). Thus, outlawing it might not be effective and might prevent other positive uses.

Each frame in the 802.11 wireless protocol contains the MAC addresses of the sender and receiver. Thus, both sender and receiver are identified in every frame, giving more data to an interceptor who might want to spoof either party. Are both data fields necessary in each frame? Why or why not? Is it possible to meet communications needs without displaying both in each frame? How could you redesign the 802.11 protocol to reduce the exposure of having both MAC addresses in each frame? In the initial establishment of a session, both parties could choose a random value to be used for that session only; although an interceptor could obtain the corresponding random values in the initial setup messages exchanged, after the session was established, an interceptor would not have a permanent identity of either party.

The beacon and association process for establishing a wireless communication provides weak identification and authentication. After a successful association has been completed, is the access point reasonably assured of the accurate identity of its sender? Is the sender reasonably assured of the accurate identity of its access point? Justify your answer. From your knowledge of identification and authentication (from Chapter 2 and other places in this book), suggest a new design for creating a connection that would provide greater assurance of the accurate identities of both sides. As shown in this chapter, either side can spoof the address to the other. A better scheme could involve an encrypted, continuous identification. For example, the two sides could exchange the encrypted value of a number, n. The sender encrypts and sends E(n). The receiver decrypts that, obtains n, computes n+1, and transmits E(n+1). The original sender replies with E(n+2), and so forth. Thus, at each stage, continuous authenticity is assured.

In a sidebar in this chapter we describe what we think is a joke by which college students’ computers would be authenticated by their MAC addresses. Why is this a bad security idea? Describe another way that a computer could automatically be recognized as authorized to join a wireless network? (By automatically, we mean that the computer’s owner and perhaps the system administrator would perform some initial setup, but after that, the connection would occur without human action.) Separate from the technical question, is it wise from a security standpoint to have a computer automatically join a network? Justify your answer. MAC addresses can be spoofed, so anyone knowing an authorized MAC address could join the wireless network.

Chapter 10: Do You Hear What I Hear?

Analyzing Computer Security — Solutions Manual ., Inc.

Explain why something like a beacon signal—from either the sender or receiver—is necessary to establish a connection in an open wireless network. Neither sender nor receiver knows there is another, active network agent in range. Thus, either sender or receiver (or both) must send some possibly unanswered probes to determine if anything is listening. Phrased differently, both sides cannot simply listen, because neither will ever hear anything.

The original WEP protocol design was published in 1997 even though weaknesses in the concept were discussed in 1995, and demonstrations of the seriousness of the problems occurred in 2001. Thus, there were hypothetical concerns about the protocol at the time it was published, and after protocolconforming devices appeared, actual demonstrations confirmed those concerns. In 1997 there would have been several options: (a) withhold the security aspects of the protocol, permitting the design and sale of devices with no security, (b) establish the protocol as a standard and hope that nobody would discover the security weaknesses, (c) hold all wireless protocol suite work (not just the security aspects) until a stronger security component could be designed, (d) ignore various nations’ limits on export of products employing cryptography, and mandate encryption stronger than RC4 with a 40-bit key, even if that meant products manufactured in one country could not be exported to others (even though strong cryptography would reduce but not eliminate security weaknesses in the protocol), (e) give protocol developers a short amount of time, for example, three months, to redesign the security aspects of the protocol suite. This list is not intended to be exhaustive. Pick an option (from the suggestions or of your own thinking) and prepare an analysis of its effect, strengths, weaknesses, impact on manufacturers and users, and political ramifications.

Student freeform answers, judged on their merits. 10.

Explain why cryptologists recommend against static encryption keys, that is, keys that remain unchanged for long periods of time. The longer a key is in use, the more encrypted traffic can be collected and analyzed in an attempt to intuit the key.

11.

WPA uses a 256-bit base key. Assume an attacker mounts a brute force attack against such a key. How rapidly does the attacker need to be able to check a candidate key for a brute force attack to succeed in 30 days? The student needs to compute (or approximate) the number of 256-bit keys and compute how long is available to check each on in 30 days.

Additional Exercises 1.

Is there a functional reason for designing WEP to use only a 40-bit key? The original WEP design used a 40- or 104-bit key; the 40-bit key was included to conform to a U.S.-government restriction on export of products implementing cryptography. However, a short key was also convenient for implementation in wireless routers and wireless network interface cards.

WEP requires users to establish the encryption key at both the access point and the remote device, which causes users to want not to change the key frequently. How could keys be changed more frequently?

Chapter 10: Do You Hear What I Hear?

Analyzing Computer Security — Solutions Manual ., Inc.

One way, that is not optimal, is to require users to change keys periodically; studies with passwords have shown users do not like to be forced to change keys and, when required, will often pick simple passwords. A better approach is an automatic rekeying regime. With this method, sender and receiver choose and install a new key periodically. If there is little reason to believe the current key has been compromised, one side can simple choose a new key, encrypt it under the old key, and send it to the other side. If key compromise may be an issue, the two sides start with a symmetric key, called the master key, used only for key exchange. (Therefore, very few bits are ever encrypted and communicated under the master key.) Then, one side picks any new key, called a traffic key, encrypts it with the master key, and sends the encrypted traffic key to the other side. Any time either side wants to change keys, that side picks a new traffic key, encrypts it with the master key, and sends it to the other side. 3.

Suggest a technique by which a passphrase (a phrase in text characters) could be used to derive a long encryption key (for example, 256 bits), so the entry of a long key would not be prone to error. A passphrase could be taken from any series of letters (and other characters). For simplicity, remove all nonalphabetic characters and convert all alphabetic characters to lower case. Then, all characters would be between 0x61 and 0x7a, in binary 0110 0001 to 0111 1010. Of these only the rightmost five bits vary; the leftmost three are always 011. Join the rightmost five bits from each character of the passphrase to yield enough bits for the desired key length, which means 52 input characters for a 256-bit output. Each line of text in this solutions manual contains about 50 alphabetic characters, so entering approximately one line of text correctly twice is not too difficult.

Explain why authentication by MAC address is unreliable. MAC addresses on NIC cards can be reprogrammed. Therefore, a NIC can present any MAC address.

The WEP protocol, introduced in 1997, was discredited by 2001, and WPA, its replacement was approved in 2004. Yet, in 2008 many sites still used the weaker WEP protocol. Cite reasons why sites might not have changed. (1) Old hardware did not support WEP/WEP2. (2) Users were unaware of the severity of the threat and did not see a need to change. (3) Users feared the conversion would be too difficult.

What reason is there to establish a rogue access point? That is, why would you want to set up a base station, offer people the opportunity to connect, and give them free network access? By attracting people to your access point you have the opportunity to intercept and record all their communications. Although with WiFi the communications travel in the public airwaves, they may be encrypted. If you own the access point, you also own the encryption key and algorithm, thus you can decrypt anything that passes through your base station.

Chapter 10: Do You Hear What I Hear?

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 11: I Hear You Loud and Clear This chapter expands on the theme of interception from the previous chapter. Although the case of WiFi is somewhat limited because of the short range of wireless communication, the same principles of interception apply.

Instructional Suggestions In this chapter, aspects of threat agent, reward, and method–opportunity–motive apply. Who would want to mount an interception (and modification, to be covered in Chapters 12 and 13) attack, for what possible reward, and with what degree of difficulty? At what point does the potential payoff exceed the costs of performing the attack and the risk of being caught? Students without a solid networking background may have some difficulty in this chapter. Depending on your inclination, you can either ignore or expand upon the points requiring more networking sophistication. Students with access to a network laboratory can implement network interception (using a LAN sniffer, for example). Asymmetric—public key—cryptography is an important concept introduced in this chapter. The mathematics of public key encryption can be daunting to students. You can explain to them that understanding what public key encryption is and how it works is not the same as understanding the mathematics behind the algorithms. The web site http://nrich.maths.org/2199 (from the University of Cambridge, England) contains a readable explanation of a primitive public key algorithm called the knapsack algorithm. Although this algorithm has a fundamental flaw, it is still a useful device for communicating the general concept of a hard problem with a simple solution for those in the know. That example helps to communicate the concept of public key cryptosystems painlessly.

Chapter Exercises 1.

Two parties, A and B, need to perform encryption. They have one symmetric key between them. An intruder acquires knowledge of the key. What is the impact on secrecy of previously exchanged messages? What would be the impact on secrecy of future messages? Is there any harm in A’s sending a plaintext message to B saying the key is no longer secret? Should A send that message encrypted with the now-exposed key? Explain your answers. Anything encrypted under the key and obtained in ciphertext by the intruder is now potentially exposed, past or future. If the intruder has the key and can presumably intercept messages, sending a message in any form—plaintext or encrypted—alerts the intruder that A and B now know the key has been obtained. If the parties do not want to alert the intruder, they can communicate out of band: by a telephone call or postal letter, for example.

Four parties, A, B, C, and D need to perform encryption. They share six encryption keys pairwise: A–B, A–C, A–D, B–C, B–D, C–D. Suppose one key is compromised; say, it is C–D. What is the impact on any other communications? Can C announce to D in plaintext that the key has been exposed? Should C use

Chapter 11: I Hear You Loud and Clear

Analyzing Computer Security — Solutions Manual ., Inc.

encryption? How can C advise D without the intruder’s finding out that C knows the key has been compromised? Explain your answers. If only the C–D is exposed, that affects only communications on the C–D channel. As with question 1, if C and D do not want to alert the intruder that they know the key has been compromised, they can communicate out of band, or C could send a message to A or B (under the A–C or B–C key) asking that one to inform D (under the A–D or B–D key). Of course, a separate issue is trust: Does C trust A enough to convey this message accurately and without revealing it to anyone else? 3.

In the previous case of A, B, C, D, the obvious way to rekey is for C and D to use one of the key exchange protocols described in this chapter. Assume C and D do not want to do that. Can A and B help C and D establish a shared secret key? Explain how or why not. C can choose a new key, send it to A, and ask A to forward it to D. C communicates under the A–C key, and A under the A–D key. The difficulty is that now A has a copy of the new C–D key. Worse, if A is not trustworthy, A can set up what is called a “man-in-the-middle” attack (which is explained in Chapter 12). This version is easy, because A can decrypt any traffic between C and D, and even forge new traffic seeming to come from C or D to the other. To get around that problem, C can encrypt the new C–D key under the old C–D key before sending it to A. This solution works if we assume A has not received the now-exposed old C–D key, that is, that the intruder is not A and has not revealed the key to A. Part of the issue here is the degree of trust C has in A.

Suppose four other parties, whom we might call E, F, G, and H, are all working on a common task, so they use one encryption key for all communication. Now, suppose H leaves the project and should no longer have access to encrypted communications. How can the other three ensure that H is now excluded? Unfortunately, E, F, and G now have to choose a new key to share among themselves, and they have to exchange the key using one of the protocols of this chapter (or another protocol). If they encrypt the new E–F–G key under the old E–F– G–H key, H, who still has the old key, can obtain the new key if H can obtain the message under which E, F, and G try to establish this new key. A further difficulty is that H can still decrypt any earlier exchanges already made using the old E–F–G–H key. Obviously, if H copied any of these before leaving the project, E, F, and G cannot reclaim them. However, if the issue is not messages being exchanged but data in a shared repository (think of a cabinet of documents, for example), E, F, and G can decrypt the shared data and now reencrypt it under the new E–F–G key.

Now, in the previous case of E, F, and G, suppose a new partner, J, joins the team. How can the existing team members include J in the protected communications? Adding a partner is easy. They simply send J a copy of the E–F–G key. Often such key transfers are performed using an out of band communications channel, such as a human courier, a registered letter in the postal mail, or an oral communication by telephone.

For the Predator drone example, outline a scheme by which multiple aircraft can securely transmit multiple images to multiple receiver points.

Chapter 11: I Hear You Loud and Clear

Analyzing Computer Security — Solutions Manual ., Inc.

Many-to-many encryption is difficult. One approach is for all parties—all aircraft and all reception points—to share a single encryption key. But, as exercises 4 and 5 demonstrate, adding and deleting members is hard, and the possibility of compromise rises as the number of sharing parties increases. The key exchange protocols of this chapter work (and there are also other protocols). Therefore, a better approach is for each aircraft and each base station that want to communicate to create and exchange a single key useful for the duration of that one session, for example, one flight to obtain and relay images. 7.

As we describe after the Predator drone example, at least two significant vulnerabilities are evident: lack of authentication and lack of encryption. Assume the previous question was answered adequately; that is, assume an encryption scheme was in place by which the drones could communicate securely with base stations. Would that compensate for the lack of authentication? Conversely, assume authentication of all parties: all drones and all base stations. Would that compensate for lack of encryption? Why or why not? The critical problem is authentication of aircraft and base station. Obviously, the enemy would like to be able to impersonate a base station, establish an encryption key, and obtain all the images that aircraft took during the session. Thus, aircraft and base stations need an unspoofable way to authenticate each other. The standard approach for this also uses cryptography with share keys. The aircraft would send an encrypted message saying essentially “I am aircraft A-101 looking for any receiving station [or for specific receiving station R-102].” The base station would respond in a way that precludes replay of previous messages (perhaps by including the current date and time). In practice, aircraft and base stations change encryption keys frequently, for example daily. The physical encryption keys are heavily guarded, and future keys are not stored on the aircraft, so that even if the enemy obtains an abandoned plane, they retrieve only the current key, which will expire in a short time.

Consider the connection from a landline telephone to the local telephone switching office. Clearly, there is not one long wire directly from the switching office to the telephone; describe some of the points at which there are junctions. How easy would it be for an attacker to tap the communication at each of these junction points, in terms of how exposed or accessible the point is and how many signals would be carried on the common medium from that point? Landline telephony—especially in digital mode—uses devices similar to network switches and routers to direct traffic to a final destination telephone. A telephone call could be tapped at any of these points of redirection, as well as along the physical cable. Although tapping requires sophisticated equipment and detailed knowledge of the transmission medium and protocols, the knowledge is widely known because of the number of partners who cooperate to complete a telephone call. Furthermore, competing manufacturers produce the equipment, so there is an open market for such goods. (The cost to set up your own telephone exchange office is significant, however.) Thus, with appropriate finances, an attacker can meet the “method” criterion for an attack. Number of signals is not a major problem, because telephone companies handle these same calls, so clearly their equipment is capable of isolating each communication and directing it appropriately.

Chapter 11: I Hear You Loud and Clear

Analyzing Computer Security — Solutions Manual ., Inc.

Wiretapping—intercepting private communications—is both illegal and unethical. The situation is not absolute, however. Cite two situations in which wiretapping is legal. Cite two situations in which wiretapping is ethical. For the ethics cases, explain your answer by describing any overriding ethical principles that would justify wiretapping. Wiretapping is legal with a court order to prevent or stop a crime. Wiretapping is also legal with the consent of a wiretapped party, for example, to make a record of a conversation for archival purposes (so, for example, all official telephone calls to a senior government official might be recorded). Calls to emergency services (ambulance or fire department) are typically recorded. A fourth example occurs when a company records its employees’ communications. All these examples are also ethical. In the first case, to prevent or stop a crime, the overriding interest of law enforcement (and perhaps saving a life) overrides any privacy concern. The historical archive is of lesser ethical value, although one can argue that official government business is inherently public (with obvious exclusions for classified communications or sensitive or libelous speech). Finally, the purposes for recording emergency phone calls are to have a record to play back in case the operator erred when noting the address of the incident, to use for possible legal action, or to review for training purposes. A caller to an emergency service has no reasonable expectation of privacy. (You wouldn’t say “my house is on fire, but I don’t want you to tell anyone.”) Thus, for all these reasons, the examples cited are ethical. In the company case, the employer provides the telephone for the employee to use for company business, and all aspects of that business rightfully belong to the employer. (Companies that monitor employees’ communications usually advise employees that they have the right and intend to do so, which further supports the companies’ ethical position.)

10.

Think of a postcard as the equivalent of plaintext and a letter in a sealed envelope as the equivalent of ciphertext: Whatever you write on a postcard is exposed for anyone to read, but someone has to open the envelope to read your letter. Is it ethical to read what is written on a postcard? Why or why not? No, it is not ethical; only the intended recipient is ethically justified in reading the postcard (except for situations such as law enforcement to prevent a crime, or when there is another overriding consideration).

11.

Is link encryption useful to individuals, or is it only for organizations having many users? Explain your answer. Individuals can profit from link encryption. For example, WiFi communication between an individual’s computer and access point is link encrypted under both the WEP and WPA protocols.

12.

An advantage of link encryption is that it is “one style fits all”: Everything is encrypted with the same algorithm, key, and procedure. Cite situations in which link encryption may not be appropriate (either too strong or too weak) for certain users. What can users do in these situations? If the traffic is of varying sensitivity, the level of encryption may not be appropriate for all items. A company that communicates highly sensitive business plans and product designs, as well as low sensitivity advertising copy or press releases may find that a single kind of encryption is not appropriate for all data. If the chosen encryption is too strong, as long as there is not an intolerable performance penalty,

Chapter 11: I Hear You Loud and Clear

Analyzing Computer Security — Solutions Manual ., Inc.

there is no harm in over-encrypting. If the overall level of encryption is too weak, the company can superencrypt very sensitive traffic with a more secure algorithm. 13.

What are the disadvantages of employing both link and end-to-end encryption? The primary disadvantage is performance: Two encryptions take longer than one, and there are two penalties for exchanging keys and setting up the encryption. In most cases, however, the setup cost is insignificant because it is performed infrequently. Furthermore, time to perform the actual encryption tends to be small relative to the total time for data communication, so the performance penalty for encryption is usually tolerable.

14.

How can an airplane (or any device, for that matter) identify and authenticate itself? A ground controller might hear a pilot say over the radio, “This is Lufthansa 4143 …” and the controller could ask the pilot for additional facts to confirm authenticity, but that is a person-to-person interchange. How can one device (an airplane, for example) convince another device (a base station, for example) of a meaningful and unique identity? Think of the properties of authentication, and suggest some approaches that would work in a fully automated exchange. The best authentication involves a shared, secret encryption. Almost anything else could be deduced, derived or computed by another process.

15.

16.

Now choose another classmate and exchange your answers to the previous question (about one device’s authenticating itself to another). For this question, your goal is to subvert the accuracy of the identification scheme. What would you as an attacker do to create a rogue communication that masquerades as the actual device or prevents the actual device from being successfully recognized? Rate each step of your counterattack as easy, feasible but hard, or very difficult. Key backup is an important and seldom considered issue. As we describe in this chapter, the holder of an encryption key can be sick, unreachable, or otherwise unavailable. Major organizations have a contingency plan for handling such emergencies. Suggest ways that an organization could prepare for a needed key’s being unavailable. Would your plan also work for needed passwords or other critical data? That is, a critical file might be protected by a password, but the person who knows the password is unavailable. How could this case be dealt with? Suppose access is controlled by a biometric. How could the person’s absence be dealt with? For knowledge such as an encryption key or password, the data could be left with a trusted third party, locked in a safe to which trusted other(s) have access, or divided into pieces and split among several others. In this last case, the security comes from several people being required to cooperate to obtain access, thus each is a check on all others. Biometric is almost impossible to duplicate, nor would you want it. However, a second person could be registered for emergency access, and the biometric of the second person would be used.

17.

Explain why the names symmetric and asymmetric encryption are appropriate. Symmetric encryption: the encryption key is the same (the meaning of prefix sym- is same) for both parties. Asymmetric encryption: the keys are different, (the prefix ameans not, so asym- is not the same)

Chapter 11: I Hear You Loud and Clear

Analyzing Computer Security — Solutions Manual ., Inc.

18.

19.

Asymmetric encryption is slower than symmetric encryption by a factor of 10,000 or more. Derive the implication of this disparity. That is, estimate how long it might take to encrypt a file of size n using a symmetric algorithm (by consulting the advertised performance of real encryption products). Then determine how long it would take to do the same encryption using an asymmetric algorithm that was 10,000 times slower. Explain why encrypting with a sender’s private key demonstrates authenticity. Presumably only the sender has that private key, so anything encrypted with that key must have been produced by the sender.

20.

Explain why encrypting with a receiver’s public key achieves confidentiality. Anyone can encrypt with the receiver’s public key, assuming that key is publicly distributed. Encrypted text is protected against loss of confidentiality. The receiver is presumably the only person with the matching private key, so only the receiver can break the confidentiality.

21.

Can a symmetric encryption algorithm be used to implement integrity? Explain your answer. Can an asymmetric encryption algorithm be used to implement integrity? Explain your answer. Any encryption algorithm can be used to implement a form of integrity, in that only people who have the matching decryption key can remove the encryption and make meaningful changes to the data. Anyone can change bits, but changing bits without knowing their interpretation cannot produce meaningful change. Thus, meaningful change is prevented, although crude change is not blocked. Ideally, the receiver can detect unsophisticated change.

22.

Breaking encryption by cryptanalysis is quite difficult. Performing a physical wiretap is somewhat less difficult. Give other even less difficult ways to obtain sensitive data. Bribing or coercing a data owner, or applying social engineering to trick the owner into revealing sensitive data.

Additional Exercises 1.

Can authenticity be demonstrated using a symmetric encryption algorithm? Why or why not? Assuming an encryption key is shared between two parties, A and B, if A receives encrypted text, that text could have come only from B.

Can nonrepudiation be demonstrated using a symmetric encryption algorithm? Why or why not? If A has a piece of encrypted text, and a key k is shared by only A and B, A can hold up the encrypted text and use k to show it was encrypted with k. However, that encrypted text could have been produced either by A or B.

Can nonrepudiation be demonstrated using an asymmetric encryption algorithm? Why or why not? B can encrypt data with B’s private key. A, or anyone else who has B’s public key, could decrypt it using B’s public key. The fact that the data decrypts with B’s public

Chapter 11: I Hear You Loud and Clear

Analyzing Computer Security — Solutions Manual ., Inc.

key shows that the encryption could have been applied only by B, the unique person who held B’s private key. 4.

DES and RSA encryption were both invented during the 1970s. DES alone became weak in the 1990s, but the strength of RSA remains largely unchanged. Why did DES degrade but not RSA? DES was fixed to a 56-bit key length, which meant that as the speed of computers increased, the number of keys that could be tested in a given amount of time increased correspondingly. By the late 1990s, checking all keys, which was infeasible in the 1970s, became feasible. RSA uses a key whose size depends on the parameter n chosen when the key pair is generated. Thus, before decryption speed got to the point that a brute force key search became feasible, users could generate a pair of longer keys.

Kerberos depends on an infrastructure involving a ticket granting server, authentication server, and key distribution center. How is this structure a liability? The entire infrastructure has to be operational and available for accesses to b e allowed in the Kerberos environment.

Explain the concept of single sign-on. With single sign-on, a user signs on and authenticates to a system once. From that point forward, the system negotiates with subsystems on the user’s behalf, passing the user’s authenticated identity and credentials, so the user need not authenticate to any of these subsystems.

Assume in the Predator drone example, a sophisticated confidentiality scheme had been implemented, securing the secrecy of air-to-ground communications. Suppose one of those aircraft crashes in enemy territory, so the entire confidentiality mechanism is now in enemy hands. What are the threats to which such a scheme is now exposed? Hypothesize some vulnerabilities that the enemy might seek to exploit. Threats: enemy learns of scheme, enemy learns details of scheme, enemy designs and implements countermeasures, enemy can decrypt previous transmissions. Vulnerabilities: hardware (computer) contains program, computer contains current encryption key, computer contains future encryption keys. Sometimes hardware like this is loaded with a small explosive charge so that in the event of a crash, the computer is destroyed to prevent its falling into enemy hands. Also, as described in Interlude C, the computer can be equipped with a remote “kill switch” so that the aircraft’s owners, sensing that the plane is or may have fallen into hostile hands, can send a remote signal to the computer to destroy itself.

In a sidebar in this chapter we described a researcher who was able to capture computer screen images reflected off shiny objects, such as a teapot, eyeglasses, or a window. Although this project is only a rough research idea (the interceptor was able to read only messages in 36 point type—roughly three times as large as the type in this book or approximately ½ inch or slightly over 1 cm.), other researchers might be able to improve the result. Discuss possible countermeasures, comparing their efficiency with their impact on usability.

Chapter 11: I Hear You Loud and Clear

Analyzing Computer Security — Solutions Manual ., Inc.

The difficulty is that images reflect on any shiny surface, such as eyeglasses, or even eyeballs. Blurring the image makes it harder to intercept, but also more difficult for the user to read. Users might be issued with special glasses that have a nonreflective surface, but these might be cumbersome or inconvenient. Finally, there is little that can be done about the reflectivity of the human eyeball. The better approach is to focus on the interceptors, denying them access by which to obtain these images, for example, with closed doors, curtains on windows, and physical access control. Although this threat is currently only hypothetical, it is a good example of the unintended consequences of technology. It is also a good example of needing to balance other competing needs, such as usability, with security. A secure but unusable solution is probably unworkable.

Chapter 11: I Hear You Loud and Clear

Analyzing Computer Security — Solutions Manual ., Inc.

Interlude B: Electronic Voting In this interlude we present another example topic with significant security implications, as a learning device on which students can hone their analytical skills.

Instructional Suggestions In this chapter students can examine a topic with which they are rather familiar. One way to start the analysis is by considering what would constitute a perfect election, regardless of implementation method (paper ballot, electronic, show of hands, etc.) Election Security Requirements Although it would seem as correctness is the only requirement and it is easy to judge, in fact, many requirements comprise a proper election result: •

Every vote cast is counted.

•

Every vote cast is counted only once.

•

Every vote counted matches the vote of a unique voter.

•

The reported sum of votes correctly corresponds to the count of votes.

•

Only authorized voters can cast votes.

•

Every authorized voter is allowed to cast a vote.

•

An authorized voter can cast only one vote.

•

Unless only one vote is cast, it is impossible to associate a particular vote with a particular voter.

•

After an election, it is possible to determine which voters cast votes.

These properties apply to all kinds of elections. In addition, for electronic elections, additional requirements apply. •

If a technical failure causes voting to be suspended, it is possible to know with which votes a partial sum corresponds. That is, if the k-th vote is being processed, officials can know that the first (k−1) votes have been tallied, and no choices from ballots k on have been processed.

•

After the election, all votes and the sum are available to verify that the sum accurately reflects the votes cast.

•

After the release of results, each voter can inspect the votes and total to ensure that the voter’s choices are included in the total.

•

During the course of the election, no election official can determine the contents of any voter’s choices.

•

The roll of authorized voters is created and modified only by authorized officials.

Your students may be able to add to this list. Note that such requirements describe a perfect election. In practice, even without computers, we tolerate imperfect elections: ballots are spoiled to the point of being unreadable (and hence uncountable), unauthorized people somehow are able to vote, Interlude B: Electronic Voting

Analyzing Computer Security — Solutions Manual ., Inc.

and authorized voters are prevented from voting, absentee votes can be lost in the mail or delayed until their value is lost, power loss or other natural disasters can prevent votes from being cast, and people impersonate legitimate voters, to name a few problems. In part, we accept such imperfections because few races are close enough for minor problems to matter; we figure that the cost of countermeasures exceeds their value. Some elections, however, are decided by small enough margins that a few votes could make a difference. Still, we accept an imperfect system as being good enough at its cost. Thus, we should not necessarily hold an electronic election to a higher standard than its manual counterpart. We should consider the potential threats and vulnerabilities, and make an informed choice as to which risks we are willing to accept. Attackers An election has many people who would want to alter the outcome. Examples your students might derive include: •

Corrupt officials: wanting to stay in power or see colleagues brought into power, or to punish voters who choose the wrong candidate.

•

Corrupt election workers accepting bribes for allowing or denying votes.

•

Outsiders (organized criminals, lobbyists, or political operatives) offering bribes for allowing, denying, or altering votes.

•

Individual voters wanting to retroactively deny or change their votes.

•

Anarchists wanting to nullify or decertify an election., to undermine confidence, or to prevent voting.

•

In addition to human threat agents, your students should identify loss of electrical power, natural disasters, and uncontrollable mass catastrophes.

Now, you students should examine what effect each of these threat agents could cause. Method–Opportunity–Motive For each of these threats, your students might work through the principles of method, opportunity, and motive. •

What skills would be needed?

•

What inside knowledge? How could someone obtain the knowledge necessary for the attack?

•

What amount of access? How could a person obtain hardware and software necessary to test the attack in advance?

•

How difficult would it be to mount a particular attack?

•

Would the attack have local effect (one polling place) or general (the entire election process)?

Security Threats The standard security threats are a good starting point for analysis. In this Interlude, we list several attacks:

Interlude B: Electronic Voting

Analyzing Computer Security — Solutions Manual ., Inc.

•

Secrecy: Attacks through program flaws, by social engineering or impersonation (of an election official), by wiretapping and other forms of interception, and from physical security failures (consider the keystroke logger of Chapter 5).

•

Integrity: How does a voter know that ballot marks are correctly counted? Even if an audit log shows all the ballots counted and a voter finds one with exactly that voter’s choices, how does the voter know that vote corresponds to his or her ballot and not that of someone else who voted for the same candidates? How does an election official know the roll of eligible voters is correct (created and modified only by authorized people only in authorized ways)? In what other ways can an attacker threaten the correctness of the electoral process?

•

Availability: As cited in this chapter, usability is both an advantage and a disadvantage for electronic voting. Computers can help by making elections more accessible, for example, to people with physical limitations (such as a large-print ballot image) or with instructions in a foreign language. Ballot design can make it easy for people to understand and cast their votes, but certain features, such as the order of candidates’ names, can be a preference for one candidate over another. Computers, and a local area network for an voting place, are dependent on electricity, and some voting solutions depend on a unique single device (for example, a workstation to accept and record vote totals) without which the election process cannot proceed. How else could availability be limited?

Controls and Countermeasures Numerous electronic election systems have been implemented, with varying degrees of success. A popular countermeasure is penetration testing. Have students review the comments on penetration testing—especially the time and effort necessary to do it right—in Chapter 3. Testing has been effective in finding significant flaws in voting systems, as described by Bishop and Kemmerer and by Halderman. The popular press has articles on voting system failures. Students coming from engineering and computer science backgrounds want a technical solution, and they can design more and more elaborate schemes for casting and counting votes fairly. University students sometimes need to be reminded of the constraints of the real world: •

Cost: Any approach needs to be implemented in all voting places in the voting area. The state of Kansas, for example, has about 2,000 polling places for approximately 1.7 million registered voters, so the cost of technology has to be small enough to be affordable by that number of uses.

•

Usability: Voters and poll workers come from the entire population. They are not all technologists, and they do not all have the same physical and mental acuity as university students. Approaches need to be simple enough for wide use.

•

Correctness and openness: Even though flaws appear in all kinds of applications, voting has high visibility. A flaw in a retail sales or school registration system will not attract nearly as much public attention as in a voting application, even though the first systems may be more critical. And a

Interlude B: Electronic Voting

Analyzing Computer Security — Solutions Manual ., Inc.

flaw can doom a voting system: People have perhaps unreasonable expectations of the correctness of voting applications and will tolerate no errors. Students need to appreciate these constraints on the security of electronic voting.

Interlude B: Electronic Voting

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 12: Disregard That Man Behind the Curtain This chapter addresses several similar threats under one heading. All these threats are examples of protocol failures, in which two end parties are fooled by a party in the middle. The domains in which these failures occur range from network address translation to web browsing to physical intrusion.

Instructional Suggestions Instead of introducing new countermeasures, this chapter reiterates the importance of old ones, such as strong identification and authentication, cryptography to enforce integrity, and protocol analysis to prevent data leakage and loss of control. Although there are no new countermeasures, the range and severity of the in-the-middle attacks should impress your students. It is easy to set up examples of real-life in-the-middle attacks, with students impersonating or infiltrating exchanges. Students can appreciate the nature and severity of these failings by careful examination of the threat examples. Exactly how does a man-in-the-browser attack work? And why? Why doesn’t the encryption financial sites use protect against this class of attack? Why doesn’t a user spot a program download substitution attack or a page redirection attack? What would be necessary to allow a user to spot these kinds of attacks? Even though the Internet routing attacks described in this chapter are fairly sophisticated, the basic outline is something even students with limited understanding of networking can understand. It is worth taking the time to dissect a couple of these attacks in detail to help students practice their threat–vulnerability–countermeasure skills.

Chapter Exercises 1.

Why is caching DNS query results a good strategy, in spite of the possibility that the cache may have been corrupted by a malicious outsider? Caching improves performance. People tend to return to favorite web sites, so caching reduces the number of times a full address lookup must be performed.

Does it really matter if a DNS query resolves incorrectly? Won’t a user wanting to go to a site such as xyz.com will readily notice being at uvw.com, instead? Explain your answer. In many cases, uvw.com will be readily recognized as an incorrect web site. Ignoring the user annoyance and confusion problem, however, if a malicious attacker can force an incorrect address resolution, the attacker can redirect a user to a false lookalike of the intended web site, which the user might not detect readily.

The routing attack described in this chapter occurs because routers advertise domains over which they have control. The protocol assumes routers will be honest in what they advertise. Being overtaken by a malicious attacker could be one reason a router would broadcast the wrong information about its routing capabilities. What is another reason not based on malicious activity?

Chapter 12: Disregard That Man Behind the Curtain

Analyzing Computer Security — Solutions Manual ., Inc.

Routers and their software are subject to failure. A simple hardware failure could corrupt the address a router broadcasts. 4.

How can a router validate the veracity of information it receives from other routers? Suppose router B tells router A that B is the best route to router C. A can contact C through B to inquire if B is really the best router. Routing protocols could—although they currently do not—validate changes by checking with neighbors and end points when a new routing is received. The current routing protocol is largely based on trust and rebuilding routing information if any become corrupted.

Details of the BGP router protocol are well documented, but the information exchanged between routers is complicated, which makes it unlikely for an average hacker to successfully impersonate a router in a significant network. Would it be feasible for an attacker to infiltrate a major network, such as that of a large company or even an ISP, to attack other network routers? Explain your answer. Because of the specialized and complicated BGP protocol, most outsiders are unable to impersonate a router successfully. However, remember method, opportunity, and motive. Method is well know, if difficult. Opportunity is present because of the fact routers interact publicly with other routers. Motive is the key element, therefore: If an attacker is sufficiently motivated to overtake a router and has adequate time and money resources, routers are vulnerable.

The SilentBanker man-in-the-browser attack depends on malicious code that is integrated into the browser. These browser helpers are essentially unlimited in what they can do. Suggest a design by which such helpers are more rigorously controlled. Does your approach limit the usefulness of such helpers? One approach deals with trust, in the same way new applications and especially updates to existing ones are installed. An update signed and distributed by a major corporation that owns the application (for example, Microsoft for Windows products, Adobe for Reader, or Apple for QuickTime) comes with an implicit seal of approval. Of course, the major company assumes certain legal liability for third-party code, which becomes risky and therefore is something many firms are unwilling or at least unlikely to do.

A cryptographic nonce is important for confirming that a party is active and fully participating in a protocol exchange. One reason attackers can succeed with many web page attacks is that it is relatively easy to craft authentic-looking pages that spoof actual sites. Suggest a technique by which a user can be assured that a page is both live and authentic from a particular site. That is, design a mark, data interchange, or some other device that shows the authenticity of a web page. A web page could have a field containing an encrypted number, encrypted under a key shared by the browser and user, that the user could check to determine authenticity of the web page content. However, the encrypted number would have to relate to the entire web page, so the attacker could not change the page but send along the authenticating encrypted number. The encrypted number could be a checksum value for the page, showing its likely unchanged status.

Chapter 12: Disregard That Man Behind the Curtain

Analyzing Computer Security — Solutions Manual ., Inc.

Part of the problem of malicious code, including programs that get in the middle of legitimate exchanges, is that it is difficult for a user to know what a piece of code really does. For example, if you voluntarily install a toolbar, you expect it to speed your search or fulfill some other overt purpose; you do not expect it to intercept your password. Outline an approach by which a piece of code would assert its function and data items it needed to access. Would a program such as a browser be able to enforce those access limits? Why or why not? This is a difficult challenge. A branch of computer security called formal verification, theorem proving, or proof carrying code involves writing a set of assertions about code and then demonstrating through methods of formal logic that the assertions are valid. These assertions can describe both what the code does (given x and y, this routine produces the result x+y) and what it doesn’t do. Thus, it would be possible for a piece of code to have its own set of assertions that the browser could verify. The problem with theorem proving approaches is that they tend to be timeconsuming, require significant amounts of memory, and work only for moderate code lengths. The idea behind proof carrying code is that it embodies its assertions and the steps by which a verifier can confirm those assertions; thus, instead of creating a new proof, the browser only has to validate a proof supplied, a much simpler (faster and smaller) task.

A CAPTCHA puzzle is one way to enforce that certain actions need to be carried out by a real person. However, CAPTCHAs are visual, depending not just on seeing the image but being able to recognize distorted letters and numbers. Suggest another method usable by those with limited vision. An audible puzzle could also be used. People are relatively good at filtering sound, to exclude background noise such as conversation in the background or extraneous noises such as highway traffic. People could be asked to type words presented against a background of distracting sounds.

10.

Are computer-to-computer authentications subject to the weakness of replay? Why or why not? All authentications are subject to replay. However, in computer-to-computer contexts, the issue becomes exchanging a secret securely between two computers. After the secret is exchanged, the two parties can use encryption to preclude replay.

11.

In the air defense example with which we began this chapter, radar screens were presumably fed images showing no incoming traffic. Sketch a block diagram of inputs, processing, and outputs designers of such a system might have used. Show in your diagram where there are single points of failure. In some situations, we can prevent single point failures by duplicating a component that might fail. Would such a strategy work in this case? Why or why not? Another counter to single failure points is to triangulate, to obtain different kinds of data from two or more sources and use each data piece to validate the others. Suggest how triangulation could have applied in this case.

Student response. 12.

What security principles are violated in the Greek cell phone interception example?

Chapter 12: Disregard That Man Behind the Curtain

Analyzing Computer Security — Solutions Manual ., Inc.

Perhaps most important, the code depended on security through obscurity: The manufacturers assumed that users would never be able to invoke code they were never informed was in the distributed version. With appropriate modularity, the designers could have had separate modules for these additional functions, but distributed code for only the modules purchased, along with “empty” routines for those not distributed. (These empty routines would do nothing and return immediately. The meaning of “nothing” depends on the function of the original routine—it might mean to ignore inputs, return the inputs unmodified, or return a parameter indicating normal operation, for example.) A log of changes applied should have been kept. Installed code should have had a checksum, on the order of tripwire, to show it was not changed after being loaded. At some point privilege level was presumably violated, so that an unidentified person was able to change code. 13.

Is the cost, processing time, or complexity of cryptography a good justification for not using it? Why or why not? Yes, all of these are reasonable justifications. However, they are only one side of the balance: Countering those is the magnitude of harm cryptography could prevent. A proper decision would require considering both the expected or potential degree or harm and the cost of the countermeasures.

14.

DNS poisoning is possible because a network-addressing module sends a request for an address to be resolved, and then takes the first response that arrives. Discuss the merits of another approach, for example, that when two responses arrive, they will be compared and one will be selected according to certain criteria. What might those criteria be? Does it make sense to base a decision on multiple criteria? Why or why not? Taking the first answer has a clear speed advantage, and if the environment is assumed to have few valid threats, the fast solution may be a reasonable choice. Criteria for taking a different response might be arrival time (taking a response that arrived ten per cent later might be justifiable, as opposed to one that took three times as long), or history of responses from the sender (a router that has previously sent acceptable resolutions), for example. Recognize, however, that waiting for multiple responses and weighing their characteristics takes time, and address resolution is performed often.

15.

Covert channels use an available communications medium as a baseline on top of which to communicate data. Describe an interaction you could hold with two other people, communicating to one person without the other’s being aware. What is the medium you use? Estimate the rate of data transfer; that is, how much information can you convey in what period of time? We do this kind of thing all the time in personal interactions. We wink, smile, or raise our eyebrows to indicate that something we say may not be true. Psychologists who studying communication indicate that failure to make eye contact can also signal a lie. If these can be done in a way the third party does not see, (that is, so the third party depends only on the spoken words), an additional [true/false] bit of information is communicated. The data rate is quite low, one bit per sentence.

16.

The file lock storage channel is appropriate for a multiuser computer system, in which one user can signal by blocking or allowing access to a shared resource. Describe a storage channel that could be implemented on a single-user system.

Chapter 12: Disregard That Man Behind the Curtain

Analyzing Computer Security — Solutions Manual ., Inc.

By their nature, covert channels must involve three parties: a legitimate sender, legitimate receiver, and covert receiver. Thus, we need a second user who can see what the first user has done. In one context this could be two web users reading pages provided by a third. The colors or format of the web page displayed could be a covert signal that only one of the two web users would notice. 17.

Covert channels are typically not used by insiders, who usually have more effective ways to distribute protected data. Describe how an outsider might use a covert channel to obtain sensitive data. The outsider typically co-opts the insider, perhaps through a Trojan horse or other malicious code, to provide sensitive information. In the example for question 16, the malicious outsider could infect a web server with a modified, malicious add-on to cause it to vary the appearance of web pages sent.

18.

How could steganography be used to protect data? Is it a preventive or detective approach? The confidentiality of data could be protected with steganography by embedding the confidential data in an innocuous image. Steganography is an example of security through obscurity.

Additional Exercises 1.

The distinction between covert storage and covert timing channels is not clear. Some researchers assert that every covert timing channel can be converted to a covert storage channel. Explain how this would be done. Time is a resource, just like disk space. Thus, amount of work done during one unit of time is the resource being toggled: for a low value, the channel performs little work, perhaps executing no-op instructions to fill a time interval; for a high value, the channel works at full capacity. But then, amount of work done is a measurable resource, which is the same as a stored data item. Thus, timing channels can be converted to storage channels by considering the amount of work done in a unit time to be the shared object.

A children’s game for n players starts when player 1 whispers something to player 2, player 2 whispers that to player 3, … player (n–1) to player n. The players in the middle repeat what they think they hear but, as we well know, we do not always interpret what hear accurately. Is this an example of a man-inthe-middle attack? Why or why not. Strictly speaking, this would not be a man-in-the-middle attack, because the middle players are nonmalicious, and although they interfere with the communication, they do not do so intentionally.

Describe a man-in-the-middle attack involving wireless network. Because the SSID and MAC address are broadcast, an interceptor can easily set up an intermediate station. Assume a client C and a base station B; the interceptor I wants to become a man in the middle. B broadcasts its SSID. I broadcasts the same SSID. If I is closer to C than B is, I’s signal will usually be stronger, causing C to prefer I. C connects to I; meanwhile I connects to B. From that point on, I can communicate with both B and C, representing each to the other.

Chapter 12: Disregard That Man Behind the Curtain

Analyzing Computer Security — Solutions Manual ., Inc.

Trust is a critical element in countering man-in-the-middle attacks: Both ends have to trust that they are communicating securely and not interacting with an unknown intermediary. Discuss the role of trust in man-in-the-browser attacks. The central trust issue is trusting the integrity of browser add-ons. If the browser owner trusts the source of the add-ons, and if the browser manufacturer makes it easy for a user to install add-ons from any location, there is excessive trust with too little justification.

Discuss the role of trust in physical man-in-the-middle attacks. Trust is difficult to establish in a face-to-face human context because society trains us to be trusting of other people. As many security experts observe, if the attacker has unlimited physical access to your computer (or any part of it), your security may be compromised. Physical man-in-the-middle attacks often perform passive or active wiretapping. Thus, misplaced or unjustified human trust is one way physical man-inthe-middle attacks are perpetrated.

Chapter 12: Disregard That Man Behind the Curtain

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 13: Not All Is As It Seems Forgeries and integrity failures should not be new concepts for the students. In fact, this chapter presents new examples that depend on the pieces of earlier chapters.

Instructional Suggestions The major new content of this chapter is the digital signature, the culmination of work from several previous chapters: symmetric cryptography, asymmetric cryptography, hash codes, and certificates to bind an identity with a public key, thus providing assurance of authenticity. You should build this concept from those pieces—things the students already understand. Students should also note the non-countermeasure described in this chapter: the software goodness checker. Many people outside the security field think we are not doing our job: If software can do all the wonderful things it apparently does, then surely someone could write a simple program to distinguish malicious from benign programs. That view is compounded by the marketing arms of legitimate antivirus and anti-malware vendors who sometimes promise more than they can deliver. In fact, not only is it provably impossible to develop a program that can distinguish good code from bad, we cannot reliably do it in the most important cases. We can weed out the large number of straightforward instances of viruses and other types of malware, and antivirus software does a good job of protecting our computers from much harm. However, a truly sophisticated attack can probably evade detection. Students need to appreciate that point, and they need to be able to articulate it clearly and convincingly to others who may one day call for a simple goodness checker.

Chapter Exercises 1.

List factors that would cause you to be more or less convinced that a particular email message was authentic. Which of the more convincing factors from your list would have been present in the example of the South Korean diplomatic secrets? (1) From a friend or acquaintance, (2) from a known email address, especially an “inside” one, (3) properly presented—correct grammar, syntax, and spelling, (4) appropriate content. All these were present in the diplomatic secrets example.

State an example of how framing could be used to trick a victim. Suggesting that the victim help a friend (appealing to emotions), or asking for assistance to counter a computer attack.

Explain how a forger can create an authentic-looking web site for a commercial establishment. A commercial web page display is usually composed of several stock graphics files, such as the company’s trademark or images of recognizable products of the company (for example, a bank’s name in the style it is often displayed on signs and in ads, along with products such as bank-issued credit cards). These graphics files are just downloaded from a server, and the actual HTML code contains the address from which these images are fetched. The attacker can either copy the images directly or link to the original images, thereby creating exact renderings of objects identical to the ones the actual site would display.

Chapter 13: Not All Is As It Seems

Analyzing Computer Security — Solutions Manual ., Inc.

Explain why spam senders frequently change from one email address and one domain to another. Explain why changing the address does not prevent their victims from responding to their messages. Service providers and major mail handlers detect spam and block the sending addresses from which spam messages apparently originated. After a while, many providers block the addresses, so the spammers get little traffic through to their intended victims. Spam senders then switch to a new source address that is unknown to the service providers, and the senders have a short period before that address become recognized and the senders have to switch to another one. Blocking an inbound address does not affect outbound traffic, so the spam merchants can still receive replies at a blocked address.

Why does a web server need to know the address, browser type, and cookies for a requesting client? The address is needed to direct the response. The browser type indicates what type of code the browser can receive; for example, some browsers display only basic HTML, whereas other browsers support extensions for richer content rendering. Knowing the type tells the web server whether to send basic or rich content. Cookies help a web server know if this is a new visitor or a returning one. Neither browser type nor cookies is essential, but both help to improve the “quality of the user experience.”

Suggest a technique by which a browser could detect and block clickjacking attacks. A browser can warn when one image obscures another and a click action is about to be taken on the obscured image.

The issue of cross site scripting is not just that scripts execute, for they do in many sites. The issue is that the script is included in the URL communicated between sites, and therefore the user or a malicious process can rewrite the URL before it goes to its intended destination. Suggest a way by which scripts can be communicated more securely. The problem is allowing the user access to the scripts, in a sense similar to a time-ofcheck to time-of-use attack. The script should be communicate by some transfer other than through the URL the user (or a malicious process acting on the user’s behalf) can change.

Apple iPhone applications are available (at least when this book was written) only from the Apple’s iStore. Does distribution by Apple imply quality, correctness, or security? Should it—legally, ethically, and practically? Justify your answer. Apple assumes no liability for the quality, correctness or security of apps to which it has links on its web site: Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple

Chapter 13: Not All Is As It Seems

Analyzing Computer Security — Solutions Manual ., Inc.

assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

Although ethically it might have some responsibility for the quality of code it advertises, they seem not to accept that responsibility. In fairness, it would be almost impossible for Apple to police all its applications to determine quality, correctness and security. The best they can do is to remove a listing if it discovers a problem in a particular product, by which time, unfortunately, the product has already been downloaded and installed by clients. 9.

In the foreword to this book, Charles Palmer discusses computer applications and systems on which much of the world depends. He observes that much of this cyberinfrastructure is based on embedded, nontraditional operating systems. Does the fact that these operating systems are embedded and nontraditional improve, diminish, or have no effect on their security? Justify your answer. Mixed. Much like the arguments on cyber monoculture, security is improved in that the well-publicized attackers against a common operating system or application are ineffective against embedded, nontraditional systems. On the other hand, the search for flaws and efforts to repair common operating systems will not affect nontraditional ones.

10.

On a written check confirming authenticity (the signatures) and judging authenticity (a third-party handwriting expert’s analysis) are two distinct properties. Explain how these two properties are implemented for a digital signature. The authenticity is implemented by encrypting the message with the signer’s private key. Verifying the authenticity (or lack thereof) is done by decrypting with the signer’s public key.

11.

How is the unforgeability property of a digital signature achieved? A digital signature is unforgeable because only the signer can have encrypted the document’s checksum with his or her private key.

12.

What attack is a financial institution seeking to counter by asking its customers to confirm that they see their expected security picture (a hot red sports car or a plate of cookies) before entering sensitive data? This is a further piece of authentication, showing the user that the bank can present something only the user knows. To be done right, the financial institutions needs to communicate this picture securely (encrypted) to the user’s browser, so an attacker cannot tap the communication and replay the image going to the user.

13.

How does a certificate bind an identity and a public key? A certificate contains an indication of identity and a public key, bound together by a signature from a higher certifying authority. Thus, anyone can inspect the certificate and determine that (1) it is constructed on behalf of Mary, (2) the public key in it belongs to Mary, and (3) the signer attests to the association of that key with Mary.

14.

Why is the signer’s private key used to encrypt only the message digest, not the entire document being signed?

Chapter 13: Not All Is As It Seems

Analyzing Computer Security — Solutions Manual ., Inc.

Asymmetric key encryption is very slow. Thus, to use a public key algorithm to encrypt an entire document, which might be tens or even hundreds of pages long, would take an inordinate amount of time. A faster, almost as secure solution is for the signer to compute the message digest and encrypt that as the signature. 15.

If a hash function reduces 264 bits to 256 (28) bits, how many collisions can be expected for any given input? Why does that number of collisions not undermine the purpose of a hash function, namely, to demonstrate that it is unlikely that an undetected change can be made? 264 / 28 = 2 (64 8) = 256 collisions, on average. Even though a large number of collisions can occur, the scheme depends on the inability of an attacker to predict a collision, that is, to take an original document and know that a particular change will not alter the hash function’s result. If an attacker knew, for example, that a collision would occur between a document containing the string “$100” and the same document with “$100” replaced by “$100,000,” the attacker would be able to make that substitution without detection. However, attackers seldom know of such possibilities. Furthermore, hash function results are usually longer than 8 bits, so an exhaustive search for collisions is prohibitive for the attacker.

16.

Explain why role-based access control helps achieve least privilege. With role-based access control, the system security administrator can focus on defining privileges necessary for each role, and assign people to roles, knowing that role membership assigns the appropriate set of capabilities.

17.

In this chapter we have not reiterated countermeasures stated in previous chapters. How would countermeasures such as program development standards or separation be useful against integrity threats? Program development, especially design and code reviews, helps to ensure that code does just what it is required to do.

Additional Exercises 1.

Suppose you receive an email message, the indicated sender of which is a friend. You are skeptical of opening the message, and especially leery of opening an attachment. How could you confirm the message’s authenticity? Contact your friend, preferably by an out-of-band technique, such as a telephone call, and ask if your friend sent you the message.

Can you explain why it is relatively easy to forge the sender’s address in an email message? (Hint, consider the email server interaction described in Chapter 9.) Chapter 9 described how a port scan is done, by showing how to open an email session with a remote mail transfer agent from a Telnet connection. The Telnet connection does not authenticate the sender, and at best it transfers to the receiver an IP address, not a domain name, much less a legitimate email user’s name. Thus, the receiving agent has to trust the validity of the “from” field in the email message, but that field is just text.

The basis of clickjack attacks is invisible pages. What is a justification for an invisible page?

Chapter 13: Not All Is As It Seems

Analyzing Computer Security — Solutions Manual ., Inc.

As described in the section on clickjacking, web page designers use invisible web bugs to track clients at other web pages. The page for a florist may contain a web bug for a tracking company that the florist employs to accumulate usage statistics. In this way, the florist focuses on the flower business, and outsources web traffic analysis to a specialized firm. 4.

The alternative to drive-by downloads would be to ask the user’s permission as each file is to be installed. Consider that even a relatively simple application, such as a browser or Adobe Reader, might contain dozens or even hundreds of files in its installation package, and a modern word processor, design package, or photo manipulation platform could contain a thousand or more files. Can you predict what would be a typical user reaction to being asked to save each of a thousand files? How does this situation relate to the concept of informed consent in medical treatment? Users understandably would lose patience after approving a few files for installation. Likely a user would then either click “yes” for all others without considering them, or cancel the entire installation. Thus, there would be no security gain from requiring separate approval. Furthermore, file names would not always indicate the file’s purpose and function (and security characteristics). This differs from medical informed consent in that under informed consent a patient agrees to a particular treatment after hearing or reading a concise but accurate description of the objective of a medical procedure and its possible complications. Medical informed consent involves a physician who is licensed and liable in case the procedure outcome is not as described on the consent form.

What property of a digital signature ensures authenticity? Encryption with signer’s private key. The recipient can easily decrypt with the signer’s public key to become confident the signature came from the signer.

What property of a digital signature ensure nonrepudiation? Encryption with the signer’s private key. The recipient can invoke a third party, for example a judge, to obtain another copy of the signer’s public key (which, presumably, is publicly available). The third party decrypts the signature and the recipient shows the copy he or she obtained, to demonstrate that what the recipient has could have come only from the signer.

What property of a digital signature ensures non-reusability? Non-reusability must be implemented with some “live” data within the signed document itself, for example, a time and date, or a serial number.

Take a poll of classmates, friends, or co-workers to find out how many people inspect the certificate chain in an SSL encrypted session on a browser (or how many people know that it is possible, how to do it, and what it means). If your poll turns up that very few people use this feature, why should browsers implement it? A small number of security-conscious individuals might use it now, and more might use it in the future. A better reason is that the data are available, so a tool could save the signing chain for future reference. Then, if a system security utility discovered piece of malicious code, it could inform the user “you received this code on -datefrom a download signed by -names of certificate signers-.”

Chapter 13: Not All Is As It Seems

Analyzing Computer Security — Solutions Manual ., Inc.

Explain what security property procedure-based access control helps achieve. Procedure-based access control helps achieve integrity of data by ensuring that data items are appropriate for their use (for example, in size, format). It also helps achieve accountability, linking a person or subject with each action. Finally, it accomplishes access control.

10.

How is the integrity property of a digital signature achieved. The message digest guards against most message content changes.

Chapter 13: Not All Is As It Seems

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay The topic of this chapter is replays, which reiterates previous consideration of authentications failures. The new countermeasure—browser encryption—should be familiar because of its having been developed over the preceding several chapters.

Instructional Suggestions Figure 14.1 and the accompanying text is a critical but often-overlooked point: Encryption, although powerful, can protect only the stream it covers. Data prior to encryption and after decryption are still exposed.

Chapter Exercises 1.

How would you address the vulnerability of cloning RFID tags in passport cards, as described at the beginning of this chapter? Reading an RFID tag from a distance is more difficult if the tag is shielded, that is, carried in a protective sleeve, made of wire mesh.

Is a sequence number a preventive or detective countermeasure? Explain your answer. A sequence number detects insertions into a stream.

When Bill sends Amy a liveness number that she is to return, what prevents the attacker from intercepting and returning that number with the reply forged to seem to come from Amy? Bill sends the liveness number in encrypted form.

Discuss how to foil the idea of a blinking light to show liveness with a security camera. As described in Chapter 12, the enemy fed an unremarkable data stream to the sensors and monitors. It would be possible (although not easy) to inject an active wiretap of a blinking light into the feed viewed on the control room’s monitor.

What data does the attacker need to predict the next sequence number in a TCP hijack attack? How could those data be obtained? The attacker needs the latest receiver’s buffer pointer, which the receiver sends in each TCP packet.

Explain how the attacker can hijack a session secured with token passed back and forth between the client and server if the token is a cookie. Explain how that could be done if the token is a parameter in the http header. A cookie is a file stored on the client’s computer, which code running for the attacker can get from the browser’s files. The attacker can modify or copy the parameter from the http header just before it is transmitted from the client to the server.

SSL can use different encryption algorithms. Why would a browser or user want to use one encryption algorithm instead of another? Is that choice under the user’s control? Should it be? Explain your answer.

Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay

Analyzing Computer Security — Solutions Manual ., Inc.

Some browsers do not implement certain algorithms; some countries or installations to not permit the use of certain algorithms, so supporting a particular algorithm is an option to the browser. The user would generally prefer the strongest algorithm available, although if speed is a critical issue, the user might prefer a faster but weaker algorithm. Thus, choice of algorithm should be a choice for informed users, but defaulting to the strongest algorithm possible. 8.

IPsec offers users a choice of confidentiality, authentication or both. Give an example in which confidentiality alone would be adequate; similarly for authentication alone; similarly for both. Confidentiality: private email. Authenticity: database update. Both: electronic voting.

Additional Exercises 1.

The UDP protocol does not include sequencing as does TCP. Thus, hijacking a UDP session is easy. Why is this not a problem? Threat. The UDP protocol suite is designed specifically for situations in which speed is significantly more important than correctness: massive data transfer (streaming audio and video, for example) or network testing. In both cases, although a data stream could be hijacked, there is little advantage. Hijacking a movie and splicing in different content might be an annoyance to the user, but simple error detection and correction within the data stream would quickly alert the user to some problem. The user would halt the transmission and restart a new one, which would knock out the intruder. Similarly, faulty test results would be detected by mismatches within the test suite, and the test would be restarted.

The UDP protocol does not include sequencing as does TCP. Thus, hijacking a UDP session is easy. Why is this not a problem? UDP protocol transmission are inherently unsequenced, so applications must employ their own measures to implement sequencing, as well as error correction, if any. Thus, any hijack attempt would have to know the format of application-dependant sequencing, which is unlikely.

List two possible flaws in the idea of positioning a photograph in front of a security camera to permit undetected access to a monitored safe. (1) Getting the photograph into place without detection. (2) Getting a good original image of exactly the right size and angle and magnification.

Is TCP hijacking foiled by session encryption, for example, through SSL? Why or why not? Yes, once a session is encrypted with SSL, the attacker cannot obtain an appropriate key with which to create fake text insertions that will overtake the session.

Encrypted password failure as depicted in Figure 14-1 is an example of encryption employed in the wrong place to be able to counter a vulnerability. At what point should that encryption have been employed? The encryption needs to cover something more than just the password, for example, the user ID. Otherwise, when the client sends just the encrypted password, that can be cut and pasted. Ideally, the encryption would cover not just the password but also something of which the attacker cannot be aware, for example, an encrypted nonce.

Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay

Analyzing Computer Security — Solutions Manual ., Inc.

In the case described in Figure 14-1 describe how an attacker could have obtained the user’s password in plaintext. An attack like the keystroke logger of Chapter 5 could have sniffed both user ID and password. The trick is to obtain these before the ID/password box of Figure 14-1.

Chapter 14: Play It [Again] Sam, or, Let’s Look at the Instant Replay

Analyzing Computer Security — Solutions Manual ., Inc.

Chapter 15: I Can’t Get No Satisfaction Denial-of-service is a major topic. Numerous examples of such attacks appear in the popular press, and the basic concept is not difficult for students to grasp.

Instructional Suggestions In this chapter we present the important topic of denial-of-service attacks. Some instructors think Chapter 15 is too late for this topic. Fortunately, very little of the content of this chapter depends heavily on content from earlier chapters. Thus, there is little harm in covering this chapter earlier, say after Chapter 6 (after having covered malicious code and overflow attacks). This chapter will require some understanding of networking, especially the concepts of packets, individual packet transmission, and IP services below the application level. Students with limited networking knowledge can follow the basis of this chapter’s content, even if they do not appreciate all its minutiae. In lecture and exams, be sure to stress security aspects, not networking aspects.

Chapter Exercises 1.

What techniques could a network administrator use to distinguish a malicious denial-of-service attack from one caused by component failure? A skillful attacker can, and sometimes will, make an attack look like a component failure to mislead the administrator. Thus, these symptoms are only mild indicators, not definitive distinctions (1) Determine whether the effects are regular or irregular, repeatable or sporadic, increasing/decreasing or level. Malicious attacks are more often irregular, sporadic and of varying intensity. If the administrator can bring on the symptom consistently by loading the system, varying equipment or links on or offline, or other tuning, the cause is likely component failure. (2) Notice whether the effects have a regular time pattern, for example, between 9:00 pm and 3:00 am, which might correspond to an attacker’s usual schedule. (3) Check whether the attack seems to affect only certain logical segments: hardware links or devices, files of particular users, or execution of certain processes. The attacker may be targeting specific users or activities.

Explain why a disgruntled user of a web site is unlikely to be able to succeed at flooding the web site. As described in this chapter, the laws of physics work: An attacker on a low bandwidth line working alone cannot generate enough traffic to overwhelm a high bandwidth line.

Describe what techniques or evidence network engineers could use to distinguish between a flooding attack and one due to a natural surge in traffic, such as many people seeking news about a major world event. Again, distinguishing between these two can be difficult. First, the engineers need to know the nature of the applications their servers support. If the servers have to do with the general public, then consider what specific activity members of the public would perform: get news, search for data, buy things, cast votes. Usually developers of sites expecting a lot of traffic have tested their applications in high-volume conditions, so the administrators will have been forewarned of applications that can

Chapter 15: I Can’t Get No Satisfaction

Analyzing Computer Security — Solutions Manual ., Inc.

attract many visitors. Sometimes, however, even the developers and site owners are surprised by volume, which can complicate distinguishing flooding from normal activity. Usually, high volume traffic subsides, although sometimes not for a long time. For example, people seeking news of a breaking story may surge for minutes or hours, but after a while many people have heard of the situation and stop seeking new details online. Similarly, fans seeking to buy tickets to a popular event may flood the site as soon as the tickets go on sale, but after all the early customers have been served, traffic volume will even out. 4.

In the case involving Beth Israel Deaconess Hospital, it would have been natural to suspect initially that the network slowdown was the result of an attack by malicious outsiders or insiders. What steps might the administrators have taken to determine whether the cause was malicious attack or a combined hardware– software problem, as it turned out to be? In this case, disconnecting the internal network from outside access, or even just monitoring the volume of incoming versus internal traffic, would have shown that the source was internal. Then, monitoring the volume at specific points would have shown whether the cause was a few internal servers or a more general capacity problem.

In a smurf attack, why would the attacker want to broadcast the request to all hosts in a subnetwork? Broadcasting the attack enlists all hosts to repeat the attack against the victim.

An IP fragmentation attack might be detected by the protocol reassembly mechanism whenever it finds overlapping packet fragments. In that case, what would be a reasonable action that would avoid resource exhaustion? Would nonoverlapping packet fragments also produce this attack’s result? Why or why not? One possibility is to drop all fragments from the same source that are overlapping, and perhaps even closing the connection (which the sender and receiver can then reestablish). Overlapping packet fragments are likely to be an error. Sometimes resetting the communicating computers causes the error condition to go away.

If network addressing can be spoofed, of what value is shunning for addressing a denial-of-service attack? Shunning prevents introduction of packets from the shunned address. Whether that address is the true source of the problem or a false pointer, traffic appearing to come from that address is involved in the current attack, so blocking traffic from that address reduces the impact inside the victim’s network. Of course, a skillful attacker can present attack packets from different addresses, so shunning stops only some of them, but it does limit the impact. Shunning a real address that has been spoofed denies legitimate access from the real address, so the network administrator wants to monitor traffic being shunned and remove the block after the attack seems to have ceased using that address.

Why is an intrusion detection system sometimes connected to a network in addition to the one it is monitoring? Two reasons: First, if the network being monitored is being flooded, traffic from the intrusion detection system will be delayed or lost in the flood. More importantly,

Chapter 15: I Can’t Get No Satisfaction

Analyzing Computer Security — Solutions Manual ., Inc.

however, if the intrusion detection system finds evidence of an ongoing attack, the system does not always want the attacker, who is active on the target network, to know the attack actions have been detected. Thus, generating alerts on a separate network allows the network administrators to interact secretly with the intrusion detection devices. 9.

Describe the kinds of data a signature-based intrusion detection system would monitor to detect a denial-of-service attack. Describe the kinds of data an anomaly-based intrusion detection system would monitor to detect a denial-ofservice attack. List examples of specific attacks (such as smurf, echo, ping of death) for which each of these two types would be more effective. Signature-based systems are good for detecting attacks with specific characteristics— such as malformed packets or specific fields, such as echo or chargen. Anomalybased systems are good for detecting unusual behavior, such as an unusual volume of access to a resource or activity from a long-dormant user. The named attacks, such as smurf, echo, and ping of death, are typically recognizable by signature.

10.

In what cases is a front-end intrusion detection system more appropriate than an internal one? When is the opposite true? Front-end systems block apparent malicious behavior, usually identified by pattern, before the system is affected. Internal systems detect malicious activity, often identified by anomalies, within a system.

11.

Does it make sense to combine intrusion detection technology with a firewall on the same hardware and software platform? Why or why not? Combining them is not a good idea. Each risks interfering with the other’s detection. Worse, a flaw in one could endanger the operation of the other.

12.

Give an example of how a network administrator could use a honeypot to detect malicious insider behavior. A network administrator could first identify the type of malicious behavior insiders may be performing, for example, reading sensitive files and transferring them out of the system. To detect, or more likely confirm, such activity, the administrator could create a honeypot loaded with the kind of sensitive data the insiders are believed to be accessing. The administrator will install on the honeypot an alarm system to inform any time the honeypot data are being accessed. On receiving an alarm the administrator can monitor the system’s active users and the access logs for the honeypot to attempt to identify the offending insiders, and from that the administrator can set up special monitoring of all activity of those insiders.

13.

What is a danger in the use of an intrusion prevention system? An intrusion prevention system proactively shuts down a resource or blocks activity before harm occurs. The risk of an intrusion prevention system is false positives: preventing something that is not really a threat.

14.

A goal for an intrusion detection system is to remain hidden on the network it is monitoring. Yet it must have an address associated with the network interface card by which it connects to the network in order to obtain network traffic. How can it have an address yet be invisible? Network intrusion detection systems can operate in promiscuous mode, so they obtain and can analyze all data packets on the network, regardless of the packets’

Chapter 15: I Can’t Get No Satisfaction

Analyzing Computer Security — Solutions Manual ., Inc.

destination addresses. The IDS designer operates this interface as input-only: that is, the IDS intercepts traffic but never transmits anything onto the network. An attacker might be able to detect that there is a device at a particular address, but the device will never respond to any queries, so the attacker cannot find out what type of device it is. (It could, for example, be an unused but live printer, or a router connected to no other network.) The IDS does all its interaction with network administrators on a different network, accessed through a second interface card. 15.

What is the potential harm of a false positive from an intrusion detection system? A false positive from an IDS could cause a network administrator to disable resources or block legitimate access, thus denying some service.

16.

Outline the issues that an organization should address in a disaster recovery plan. Issues: Severity, expected duration, impact (affects data, processing, or administration), degree of risk, amount of funding available to mitigate the risk, who will do what in the event of a disaster. Activities: (1) Categorize the kinds of disasters: major physical disaster, power failure (perhaps divided into action levels by expected duration of the outage), major hardware or electronic catastrophe, etc. (2) Identify the critical resources. Rank or categorize the criticality: most important, very important but not top priority, etc. (3) Create and document a strategy for protection, for example, by creating offsite backup data copies, contracting with vendors for emergency delivery of replacement hardware, or acquiring a support system (such as a power generator). (4) Identify key personnel, by name and by function, and define a plan of succession if a key person is unavailable. (5) establish conditions for return from disaster to regular mode.

17.

Outline the issues that an organization should address in an incident response plan. How does an incident response plan differ from a disaster recovery plan? An incident is a single situation that affects a specific part of a system, for example, an outside attack or failure of a single piece of hardware. A disaster is a broader event that affects all or most of a system at a particular location, for example, a fire or power outage. Although they are often more localized, incidents are not necessarily less harmful or less important than disasters. Organizations must prepare for both, and some of the steps of preparation are the same or similar. Issues: (1) Who: Ensure that everyone knows when, how, and to whom to report a suspected incident. Establish a culture in which people are not punished for submitting a false alarm if the individuals honestly thought the situation might be an incident. Establish a chain of authority and responsibility during the incident: Who acts, who coordinates, who makes major decisions? (2) Notes: Begin to develop a log of events and actions when the suspected incident is first reported. (3) What, how: Investigate the nature of the incident, its impact, and its possible sources and causes. (4) Response: Determine and implement appropriate countermeasures. (5) Impact: Monitor the impact of the response, determine if further action is needed, determine when the incident is finished.

18.

In the example of Barrett Lyon and the BetCRIS web site described in this chapter, BetCRIS spent $1 million to counter an extortion demand for $1 million. Was that a sensible way to spend that money? Explain your answer.

Chapter 15: I Can’t Get No Satisfaction

Analyzing Computer Security — Solutions Manual ., Inc.

As Lyon and BetCRIS interpreted the situation, it was a typical extortion demand: Paying the extortion fee meant the attacker could return later and demand another, even higher fee. By countering the attacker, they reasoned that either they would overtake the attacker, causing the attacker to give up and target someone else less well prepared, or they would lose to the attacker. Of course, neither Lyon nor BetCRIS initially expected they would spend $1 million. Thus the three options were (1) pay now and probably pay more later, (2) counter and win, (3) counter and lose. An optimistic gambler might bet on (2), being more likely than (3), and certainly preferable to (1). At the beginning, they thought they could overtake the attacker for less than the original extortion demand, so countering made economic sense. As the attack escalated and the costs rose, they continued to invest, which follows a human tendency to focus on what are called “sunk costs,” amounts already spent, and oppose losing those amounts. Thus, Lyon and BetCRIS followed human nature by letting the past affect economic decisions that properly involve only the future. 19.

One person reported attaching a new system to the Internet and within 17 seconds having it attacked by a tool testing for vulnerabilities. Certainly within 17 seconds nobody could have known a new machine had joined the Internet, and the machine certainly did nothing exceptional to announce its presence. Explain how that machine was found and attacked so quickly. Attackers using scanning tools probe addresses without regard to whether any system is active at those addresses. Tools such as nmap scanner can have parameters by which they will probe an entire range or addresses or random addresses within certain limits. It is likely that the new system was hit by an address probe that happened to investigate the address at which the new system was attached.

20.

One way to disable a botnet is to destroy its command and control system. Why is this not done frequently? For at least three reasons. First, botnet designers try to conceal the address of the command and control system, by embedding it within the botnet agent’s code and by changing the address from time to time. Thus, by the time analysts obtain a compromised bot and can analyze its code or operation to find the address of its command and control system, the command and control system may have been moved. Second, botnet designers have also learned lessons from designers of nonmalicious command and control systems, for example, those that control computer networks, electric power facilities, or military systems. These latter systems are controlled by redundant command and control systems, so that one command system fails (or is disabled, as in the case of a botnet), other command systems are also active to take over for the failed one(s). Finally, botnet designers are interested both in stealth and robustness. Thus, they sometimes develop a hierarchy of command and control: bots communicate with low-level control agents who redirect the bots to mid-level control agents who ultimately redirect the bots to command and control systems. Analysts have difficulty tracing through this hierarchical network of agents, each of which tries to maintain secrecy.

Additional Exercises 1.

A company is concerned that its proprietary data is being leaked to competitors. Someone suggests forbidding employees from interacting with

Chapter 15: I Can’t Get No Satisfaction

Analyzing Computer Security — Solutions Manual ., Inc.

anyone from a competitor’s company, even in social situations. Do you think this countermeasure would be effective? Probably not. If an employee were interested in passing sensitive data, the employee would not be stopped by a ban on interaction. Furthermore, this ban would be difficult to enforce and overly restrictive to employees who might, for example, live next door to an employee of a competitor. 2.

Companies sometimes restrict the use of the company email system for noncompany uses, other than a nominal amount for personal use. Assuming the company could define “nominal” suitably, how could the company implement this restriction, without exposing the privacy of an individual’s email? A filtering firewall could log the source and destination of all email, or an intrusion detection system could similarly collect data on source and destination of email, without retaining its content. Thus, the administrators could examine the volume of email and endpoints to learn approximately how much email was going to places that were not obviously related to the company’s business.

How are firewalls related to encryption? That is, how does use of encryption in a network affect the ability of a firewall to protect that network? It depends on the nature of the firewall. A packet-filtering firewall is unaffected, because its decisions are based on pieces of the packet that must remain visible in the network, for example, source and destination address. An application-level firewall, trying to proxy behavior of something like an email handler, however, cannot function properly if it cannot inspect the email it must handle.

How is intrusion detection related to encryption? That is, how does use of encryption in a network affect the ability of an intrusion detection system to protect that network? If a payload is encrypted, the intrusion detection system cannot interpret its impact or effect, so it cannot detect any malicious behavior the payload could cause.

Is there a way to determine whether a packet has been sent from inside the destination country? Can this determination be made absolutely, with reasonably high assurance, or as slightly better than an educated guess? Explain your answer. Each packet has a source IP address, and that source address is registered with a registration authority. Suppose the address is 1.2.3.4, and assume the address block 1.2.3.0–1.2.3.255 has been registered with a registration authority in country A. That does not say this packet originated in A, however, because a resident of country B could have registered the address, or a resident of A could have left A and send the packet while physically in country C. Worse, because of address spoofing, the person at 5.6.7.8 could make the packet appear to come from 1.2.3.4. It is theoretically possible for all routers on the boundary of country D, the destination of the packet, to tag all packets received from network connections outside D, and either record the packets (for subsequent comparison) or affix an immutable tag to each packet saying, in essence “from outside D.” Such activity by a router is not currently done, nor is it feasible.

Syn flood is the result of an incomplete protocol exchange. The client initiates an exchange but does not complete it. Unfortunately, these situations can also

Chapter 15: I Can’t Get No Satisfaction

Analyzing Computer Security — Solutions Manual ., Inc.

occur normally. Describe a benign situation that could cause a protocol exchange to be incomplete. If the initiating client becomes unavailable, for example due to a hardware failure, or if the initiating process stops, for example, if a user closes a web browser, the protocol exchange may remain in an incomplete state. 7.

A distributed denial-of-service attack uses zombies running on numerous machines to perform part of the attack simultaneously. If you were a network administrator looking for zombies on your network, what would you look for? You might like for the same kinds of things a network administrator or intrusion detection system might look for incoming to a network: initiation of protocol actions without closing them, sending a large number of similar packets in a small amount of time, or sending a large amount of outbound traffic to a particular address but receiving little response from that address. Notice, however, that this last condition could also be normal, as when an application sends large email messages or transfers large files using the FTP protocol. These latter cases are distinguished by the port or protocol number to which they are destined.

Recall that packet reordering and reassembly occur at the transport level of the TCP/IP protocol suite. A firewall typically operates at a lower layer, either the Internet or data layer. How can a stateful inspection firewall determine anything about a traffic stream when the stream may b out of order or damaged. If the firewall wants to observe qualities at a higher protocol level, it must do the work of the higher level, in this case, reassembling packets, or enough of the packet to allow the firewall to perform its analysis.

In one description of a botnet, we told that at one point the owner of Conficker digitally signed changes to the bots’ code with a secret key message digest function. How did that approach affect security analysts’ ability to analyze and counter the botnet? Without the symmetric key, security specialists would be unable to apply their own changes to the bots, as a way to neutralize the botnet.

Chapter 15: I Can’t Get No Satisfaction

Analyzing Computer Security — Solutions Manual ., Inc.

Interlude C: Cyberwarfare This third interlude is the most complicated, in part because it covers the broadest range of possible actions.

Topic Reading and Discussion Points There is much written material on cyberwarfare for students to read outside of class. The suggested papers in the Interlude are a good starting point. A simple web search will find numerous current papers, articles, and position pieces. One problem, raised in the Interlude, is that cyberwarfare is not well defined. When one country invades another, we know it is warfare—or at least a hostile act that could lead to formal declaration of war. We know the invading army is acting as an agent of a government, presumably with the knowledge and backing of that government. When one group of terrorists invades another’s cyberspace, we cannot always distinguish between individuals and government-sponsored actors. Worse, we cannot always identify the true initiating party: It may look as if the attack came from country A, but it could really have come from country B using techniques designed to make it appear as if the attack were from A. Thus retaliation against A can be dangerous. What constitutes an actionable attack: Is a web site defacement an act of war or merely a low-level nuisance? Is an attack against a country’s critical infrastructure, such as the electric power grid or telecommunications infrastructure? Secrecy further complicates the picture: If soldiers from one country physically invade another, the presence of troops or labeled enemy aircraft or ships is a pretty clear sign of an attack. With cyberwarfare, however, the attacking country may want to keep even the fact of the attack secret. The attacker may plant a Trojan horse to infiltrate sensitive data, although that is more like a traditional act of espionage. The attacker may plant malicious code to disable a particular capability, for example, as detailed in the Stuxnet worm in Iran, described in the Interlude. In that case, the presence of the worm was detected only after the fact by noticing its effect. An attacker might want to plant malicious code that remains dormant until receiving some remote signal to activate. And to preserve the attack capability, the attacking country may take measures to conceal the internal structure of the malicious code.

Security Analysis After choosing a definition of cyberwarfare, students should next consider national defenses. We recommend our familiar threat–vulnerability–countermeasure framework. Threat: Harm An act of cyberwarfare might potentially be any attack in this book, as well as any someone could devise, although certain attacks would probably not rise to the bar of true cyberwarfare, as opposed to international cyber annoyance. Here are some suggestions of types of harm that might denote cyberwarfare: •

Harm to infrastructure: Roads, bridges, the transportation network in general. Telecommunications. News media. Essential utilities: electricity, water, fuel. Food distribution. Others?

•

Harm to essential services: Police, fire, medical care, food, water, shelter.

Interlude C: Cyberwarfare

Analyzing Computer Security — Solutions Manual ., Inc.

•

Harm to nonessential but highly desirable services: commerce, banking. Others?

•

Loss of confidentiality: Notice that military, political, and even commercial intellectual property has been stolen for centuries; when performed on behalf of another country, this activity is normally termed espionage, and seldom rises to an act of war. The distinction is subtle, however. If a goal of war is to overtake another country, does it matter if the overtaking is done with military force or by theft of a country’s competitive edge? The so-called cold war of the last half of the 20th century did not involve a single shot nor hostile act, but there was plenty of theft of economic secrets by which one country wanted to surpass and even annihilate another economically. How does this situation apply to cyberspace?

•

Loss of integrity: Changes to a country’s banking account data could disrupt banking for some time. Nonhostile activities such as regional power blackouts show vulnerability to small amounts of incorrect data at the right place. Although the infrastructure was able to recover from these lapses in hours, there was inconvenience, and more carefully placed and widespread data attacks might have longer and more serious impact.

•

Disinformation: A form of integrity failure is disinformation, also known as propaganda, which has been practiced during warfare for some time. (Consider Sidebar 12.1.) With increasing use of nontraditional news sources (blogs, other online postings) of uncertain veracity, an enemy might mount a successful disinformation attack by planting the same false story in numerous places. If the same story appears in three places on the Internet, it must be true?

•

Loss of availability: Already considered in terms of critical and desirable infrastructure.

Threat Agents Who are the potential attackers in a cyberconflict? Notice that the United States National Security Agency (NSA), which “plays both offense and defense in the cyber wars” has announced plans to hire 1,500 hackers in 2011 and 1,500 more in 2012 “to fight the cyber wars that pose a growing national security threat.” (Reuters, 2 Aug 2011). NSA is recruiting at Defcon, the annual, international convention of hackers, which draws 10,000 attendees, many of whom fit the stereotype of “hacker.” How can cyberwarriors be recruited, trained, and activated? Suggest that students ponder ways to do that. Old-time spies often had cover identities or special skills to allow them to infiltrate key positions. For example, a spy might have had engineering skills in order to get a job with a sensitive spacecraft company. How long might a country invest in developing its cyberwarrior corps? It is not expensive to plant an agent in a job, and assign the agent a task after ten years. By that time, the agent may have gathered significant inside knowledge, as well as a collection of friends, so the agent becomes trusted. Method–Opportunity–Motive Method and opportunity are much like other attacks. Motive is political, but it can be enhanced by patriotism. A cyberwarrior can also be deceived by superiors so that the Interlude C: Cyberwarfare

Analyzing Computer Security — Solutions Manual ., Inc.

attack can seem to serve a purpose (for example, freeing oppressed people) other than it really does (toppling a regime). Students can consider other possibilities for motive. Countermeasures Countermeasures for cyberwarfare are the same as for the other attacks explored in this book.

Suggestions for Further Work Students can research specific topics of cyberwarfare. One research topic is to take an example of an attack that might qualify as cyberwarfare, such as the cases described in this Interlude, or another event of current interest. The students should explore the attack, the threat that was or might have been apparent before the attack, the vulnerability exploited, and the countermeasures that were or could have been applied before or after the attack. Students could also pick a target, for example, diamond production in South Africa, and outline the who, what, and how of an attack against that target. The students should justify that the attack has political significance, that is, show how a successful attack would weaken the country politically, and identify a nation that might want to and be able to perform such an attack. Useful reading is “Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities” from the National Academies of Science (2009). In this report, the panel recommends that the government develop doctrine for what kinds of cyberwarfare activities it is willing or not willing to perform. This decision is a social and political one, quite independent of the capability of technology. The panel argues that the time to determine boundaries is before the technology exists.

Interlude C: Cyberwarfare

Analyzing Computer Security — Solutions Manual ., Inc.

100

Chapter 16: ‘Twas Brillig and the Slithy Toves … This relatively short chapter covers a topics that should come as no surprise to students. The different forms of data corruption have all be introduced, or at least hinted at, previously. The countermeasure of cryptographic chaining is important but not difficult to grasp.

Chapter Exercises 1.

Is electronic code book cryptography an adequate countermeasure against a sequencing attack? Why or why not? It is not adequate, because blocks of encrypted text can be permuted without detection. The only counterpoint is that cryptographic block boundaries are not necessarily logical boundaries in the plaintext; that is, 8-byte segments can be shuffled, but critical data items may not be neatly reflected within a single segment.

Is electronic code book cryptography an adequate countermeasure against a salami attack? Why or why not? It is not adequate, because blocks of encrypted text can be sliced out and recombined without detection. The only counterpoint is that cryptographic block boundaries are not necessarily logical boundaries in the plaintext; that is, 8-byte segments can be sliced out and merged, but critical data items may not be neatly reflected within a single segment.

A university uses a computer system to manage its records of students’ course grades. As though you were a consultant to the university, describe three different types of attacks that might be made against such a system, and recommend countermeasures that the university should take against these attacks. (1) Impersonation, in which an outsider tries to obtain copies of students’ records; the countermeasure here is strong authentication. (2 ) Impersonation, in which an unauthorized person—inside or outside—tries to modify students’ grades; the countermeasures here are strong authentication to prevent unauthorized access; auditing to determine how, when, and by whom a grade was changed; and least privilege, to limit the number of people who can change grades and what changes they can make. (3) Denial of service, in which someone attempts to delete the entire records system; the countermeasures here are redundancy and backup, to reduce the harm from loss of a main data set, strong access control, both inside and outside the system, to prevent access to the database or the device on which it is stored, and code integrity checking, to prevent modification of the record management software itself. Other attacks are possible.

Does block chaining protect against a sequencing attack? That is, if two ciphertext blocks are interchanged, will the decryption fail demonstrably? Explain your answer. It depends on the underlying data. Block chaining will produce an incorrect decryption if two or more blocks are moved. However, the moved blocks will still decrypt to some bit pattern, although the semantics of that bit pattern are questionable. Then, it is up to the application or the user to recognize that the decrypted data are not valid.

Chapter 16: ‘Twas Brillig and the Slithy Toves …

Analyzing Computer Security — Solutions Manual ., Inc.

101

A human keyboard operator entering data from financial records consistently enters l (lower case L) instead of 1 (one). Explain how this error should be detected and corrected; that is, at what stage of processing, by what program, and when. Data errors such as that should be detected at the field level. Presumably, at least some of the data being entered are for numeric fields, so the application program receiving the data should generate and error condition any time it receives an l (lower case L) in a numeric field. The error should be signaled as close to the point of entry as possible. In this case, if the operator were notified that a letter is unacceptable in a numeric field, the operator might soon change data entry practices.

What property of the exclusive OR function allows it to be used for block chaining? That is, could the AND or OR function be used equally well? Explain your answer. Logically, exclusive OR can be composed from AND, OR and NOT: A XOR B = (A OR B) AND NOT (A AND B). However, that is not the appropriate answer. The point is that exclusive OR is its own inverse: A XOR B XOR A = B, and A XOR A = 0 for all values A and B. During encryption, the running exclusive OR of all preceding blocks is exclusive ORed to each block, but that same cumulative value is exclusive ORed to all decrypted blocks. Exclusive ORing the same value twice has no effect. Thus, the application of exclusive OR cancels the effect of the original exclusive OR.

The password salt prevents two identical passwords from having the same encrypted value; it was originally developed because the Unix password table can be read by many processes. Would it not be more sensible simply to protect the password table against read access? Justify your answer. Protecting the password table against read makes it an obvious target for attackers. The original idea of the Unix designers was to eliminate secrecy and access control entirely, and store the table with unlimited read privilege. That approach worked well initially, before offline password-trying attacks became feasible. Now, however, after such attacks have become popular, the table must still be protected against inappropriate read access.

In his Foreword, Charles Palmer observes that many people are concerned with privacy and secrecy, so they think of confidentiality as the most important goal in computer security. He then points out that as we become more dependent on computers, availability becomes the highest priority goal. Examine his reasoning and prepare an argument to justify that integrity is at least equally important as availability to the critical infrastructure. He contends that a critical infrastructure is critical, which is obviously right. However, if the infrastructure is critical, then its correct functioning—not just its presence—is what is critical. Correctness requires integrity.

A sensitive file is encrypted for confidentiality. Does that also provide integrity protection? Explain your answer. Be specific as to which of the several interpretations of integrity is or is not protected. Cryptography ensures that virtually all changes to ciphertext will have some effect on the plaintext to which the ciphertext is decrypted. However, the effect may or may not be readily detected. If the underlying plaintext is natural language prose, humans would notice an abrupt switch from letters to an incoherent mixture of letters, digits

Chapter 16: ‘Twas Brillig and the Slithy Toves …

Analyzing Computer Security — Solutions Manual ., Inc.

102

and special symbols. However, computer applications are not so discerning: a word processor will duly format any string of characters. Dense graphical images, music, or compacted databases may decrypt to a form that can be processed, but not in the way intended. Thus, the integrity protection depends on an intelligent or sensitive application to process data whose integrity may be compromised. Integrity, as in intact, precise, fit for purpose, or semantically valid, is not preserved.

Additional Exercises 1.

Explain the difference between a checksum and a code such as a Hamming code for integrity protection of data. A checksum can report only that some change has occurred to the data, but it cannot identify what was changed. A Hamming code, or other error correction code, not only reports that change occurred but also what the change was and how to undo it.

Can a user obtain integrity protection when using the UDP protocol suite? Explain your answer. A user can build integrity protection into the application run over UDP. For example, a user may need only a rough approximation of intactness: if a few bits are changed in a picture, the overall image may still be of adequately high quality. Thus, the user could build into the application a simple scheme, such as a few parity bits, that would detect the degree of modification data had suffered. The application could ask for a fresh copy of the changed data only if the amount of change became unacceptably high.

In the sidebar in this chapter on the organ donor database, what program design could have reduced the likelihood of the kind of error that occurred. Instead of using a tight coding, the application could have used a representation that was more semantically meaningful, for example, A1K0L1, meaning all organs (1), kidneys (0), liver (1), and so forth. Then, the application program could have checked the validity of a data item when it was entered. (In this case, for example, all (yes) and kidneys (no) is semantically invalid and should be rejected.)

Chapter 16: ‘Twas Brillig and the Slithy Toves …

Analyzing Computer Security — Solutions Manual ., Inc.

103

Chapter 17: Peering Through the Window Peer-to-peer sharing is probably familiar to many students, although the vulnerabilities described here may not be.

Instructional Suggestions The work of [M.] Eric Johnson is important and quite accessible. Students can read his original work; other papers on data exposure can be found from http://www.tuck.dartmouth.edu/digital/ links. This chapter is a good point at which to open a discussion of ethics: What are the ethics in peer-to-peer sharing of restricted data (such as media)? What is the natural outcome if a performer’s sales drop 10 or 50 percent because content is being shared illegally? Is there a concept of “fair use” that applies? Is there a better countermeasure than legal action?

Chapter Exercises 1.

Explain how peer-to-peer networks could achieve fault tolerance for the data being shared. That is, considering the peer-to-peer architectural model, how would a user at node A be able to detect and compensate for corruption of a data file that was replicated at nodes X, Y, and Z? The user at A, finding an incorrect file at, for example, X, would correct the data of that file and save it as a newer version. The peer-to-peer system would detect that the file at X was newer (hence, better) than the files at Y and Z, so it would for a propagation to Y and Z.

Discuss the advantages and disadvantages of a mark of approval under which a peer-to-peer network would display an icon certifying that it patrolled against malicious software and inappropriate data disclosure. Pro: The mark indicates some quality control. Con: The icon could be forged, bought, bribed, or stolen. The meaning of the icon is nebulous: what does “malicious” software mean, how is software tested, how diligently is it patrolled, and how strong is the integrity mechanism to prevent unauthorized modification to “marked” software. As such, it provides a possibly false sense of security to prospective users.

Discuss how to convince peer-to-peer sharing users of potential security threats to their systems, the degree of risk they face, and appropriate countermeasures they should take. Education of a constantly renewing population is difficult. A peer-to-peer sharing provider could post warnings at each opening screen to the web site. The provider could also require users to read and agree to a statement of the risk involved. However, evidence from the software development industry has shown that such statements tend to become long and loaded with legal language, and that users often select “yes” without reading. A provider could display a warning box: “Are you aware you are about to share 537 files from 17 separate directories? [Yes] [No]” Without full understanding of the risks identified in that warning, users may not act responsibly. None of these actions is in the best interest of peer-to-peer sharing services, however, because these services want to maximize the amount of content shared by their members.

Chapter 17: Peering Through the Window

Analyzing Computer Security — Solutions Manual ., Inc.

104

Cite reasons software developers might not incorporate secure defaults in their programs. (1) Developers are usually not trained in, and even not sensitive to security threat analysis. (Developers should all read this book!) (2) Security is but one of several competing interests, including performance and usability; secure defaults may be in opposition to other interests. (3) Development sometimes begins with a rough prototype to map out the general purpose and functioning of an application; such a prototype may not include security, because the development team expects to add security later, when the system is actually implemented. However, after spending time and money to develop the prototype, managers sometimes tell the development team to simply build on the prototype, not start over to redesign and reimplement it. Also, at the time reimplementation is done, either from scratch or to the prototype, security becomes difficult to add effectively. Thus, for all these reasons, secure defaults may be omitted from production software.

In his foreword, Charles Palmer observes that technology is not the answer to all computer security problems. This chapter, for example, has cited such controls as user education and laws. List five countermeasures, other than ones Palmer cites, that are not technology. (1) Physical security: gates, guards, and guns. (2) Contracts and agreements. (3) Audits and review procedures. (4) Employee recognition, morale, and praise for doing the “right” thing. (5) Planning, such as incident response and disaster recovery. (6) Procedures, such as a scheduled backups. (7) Ethics.

Is it a reasonable countermeasure to put a volume limit on amount of data exported under a peer-to-peer system? That is, suppose the user imposed a limit of 1 MB (or any other number) on data exported under such a system. Would that control be effective? Why or why not? What threat does this attempt to counter? Would it be likely peer-to-peer system providers would approve of such a measure? Why or why not? Any number selected will be too high to catch some unintended exports (exporting sensitive personal identity numbers can occur in a few bytes). On the other hand, any number chosen would be too low for some legitimate peer-to-peer exchanges. Finally, it is hard to argue that any number selected is anything other than arbitrary; there is no basis for saying n bytes is fine, but (n + 1) bytes is too much. Users are more likely to notice a prohibition on transfers of more than n bytes, so if they encounter a limit, they will work diligently to avoid the formal limit, but not the intention. For example, they will split a transfer into two of n/2, or send half today and half tomorrow. The threat to be countered is the exfiltration of sensitive information, but volume is only slightly related to sensitivity. And it is not in the interest of the providers to limit sharing, because that reduces the attractiveness to others of their sharing system.

How does the general peer-to-peer design notion relate to the classic security design principles such as least privilege, economy of mechanism, complete mediation, and others? Least privilege and complete mediation are completely lost, as data become accessible to many people without restriction. The peer-to-peer system implements

Chapter 17: Peering Through the Window

Analyzing Computer Security — Solutions Manual ., Inc.

105

economy of mechanism, in that the implementation requires little code at each node. The design is conceptually simple. However, it has little security. 8.

Why are peer-to-peer sharing systems popular places for authors of malicious software to embed their code? What characteristics of peer-to-peer systems make them especially attractive? Peer-to-peer sharing attracts a wide community, some of whose users are not sophisticated computer users. The users understand that some of their exchange is of questionable morality or legality. The users tend to be younger, with less well developed senses of skepticism and distrust. Users often exchange music and video, not computer software. For all these reasons, users can be inclined to install code that comes with a data file.

Can an intrusion detection or intrusion prevention system block unintended access via peer-to-peer sharing? Why or why not? Peer-to-peer sharing now operates largely in the HTTP protocol, which means an intrusion detection system must inspect inside the HTTP traffic to detect peer-to-peer sharing. A detection system could maintain a list of known peer-to-peer sites, but such lists change frequently. A detection system would be most capable of noticing an outbound transfer of a large amount of data, although such transfers by themselves are not necessarily suspicious. The best control an intrusion detection system could exert is to monitor the places programs are stored for execution: program directories in the file system, and modification of registry values associated with installing and running software. Even then, the intrusion detection system can only point out situations that are unusual; the user must be called upon to make a final determination of whether an activity is security-relevant.

Additional Exercises 1.

Explain how trust is involved in peer-to-peer sharing networks. Users trust (often with little or no justification) that the peer-to-peer system is benign: All users have the same objective of sharing content and will access only data and perform only actions consistent with that content.

Suppose someone brings home data on a flash memory device to continue a project from work. List three ways such data could be inadvertently disseminated on a peer-to-peer network. (1) The user leaves the flash drive installed in the computer and activates the peerto-peer software, which automatically scans for new content to disseminate. (2) The user creates a backup or duplicate copy of the data on the computer’s disk, where it becomes a candidate for dissemination next time the peer-to-peer application runs. (3) The user edits the data, and the editing application (for example, a word processor) creates a temporary or backup copy of the data on disk, where again it becomes a candidate for dissemination.

Can a user inspect a downloaded P2P driver application to determine whether the code is malicious? Why or why not? First, the user typically has only executable, object code, which is difficult to analyze. Second, even if the user wanted to test the code in an isolated system, it would be

Chapter 17: Peering Through the Window

Analyzing Computer Security — Solutions Manual ., Inc.

106

difficult to know how to test it for malicious behavior or to monitor what the code did. This problem is shared with all code. 4.

A user clicks a file named songbird.mp3, and music plays; a user clicks word.exe and a word processor opens. But if a user clicks the file songbird.mp3 .exe, expecting music, a program executes. Who is at fault for this failure of expectation? Nobody is really at fault. The user should see the .exe at the end of the name, but often does not, especially, if the distance is large between songbird.mp3 and .exe. The operating system designer is trying to help the user, by performing the same, simple function when a file is clicked: associate the program with an appropriate program. The malicious actor who wants the user to execute that file is clearly doing something inappropriate, but that is why we call them malicious actors; we cannot expect them to do only good things.

In the sidebar involving Shawn Carpenter’s investigation of the Titan Rain attack, individual companies discovered these attacks on their own and determined how to address them individually. Compare the advantages and disadvantages of companies sharing knowledge and tools in case of an attack. Sharing runs the risk of making the attack visible, which may frighten off the attacker (a good thing) but leave the victims unable to monitor these attacks (a bad thing). However, a strong counterargument is that shared knowledge can lead to a faster, stronger, and more complete defense. We readily share descriptions of malicious code attacks, as well as patches and countermeasures; doing so in the face of intrusions is also prudent.

Which kind of legal protection—patent, copyright, or trade secret—is most appropriate for protecting each of the following: photographs, standardized exams (such as the SAT, GRE, or TOEFL), recorded music, personal identity, a computerized game, a painting, and a recipe. Photograph: copyright. Standardized exam: although it is a written document whose copying and distribution you want to limit, the real issue is the secrecy of the exam: you do not want some test-takers to obtain a false high score by studying the exam in advance. The best protection is trade secret. Recorded music: copyright, to control distribution of copies. Personal identity: none of these. A computerized game, probably copyright, unless there were novel, scientific aspects of the gaming that should be protected by patent. Painting: probably copyright, although there is currently no technology to make effective duplicate copies. Recipe: probably copyright, assuming the goal is to control distribution; if the goal is to preserve secrecy, then trade secret.

Chapter 17: Peering Through the Window

Analyzing Computer Security — Solutions Manual ., Inc.

107

Chapter 18: My 100,000 Nearest and Dearest Friends Although the introductory example of this chapter involves social media, in fact the chapter addresses the larger issue of privacy in the face of massive data sharing on the Internet. Every customer loyalty program, RFID, web page sign-in, and survey gives another way we and our personal behavior can be tracked. Interesting side reading is Robert O’Harrow Jr.’s No Place to Hide (2006), which describes the reach of the massive data collection, correlation, and brokering industry.

Instructional Suggestions In conjunction with this chapter, students should read Willis Ware’s committee report on Fair Information Practices. [WAR73a] Those principles formed the basis for the European Union Data Protection act. Students in the United States should read the European act and compare its privacy protections against the United States. Sweeney’s ability to identify a single person (in her example, the Governor of Massachusetts) from birthdate, zip (postal) code, and gender is a sobering reminder of how easy it is to identify a person from seemingly innocent data. In Chapter 2 on authentication, we set an exercise for students to try to determine other students’ secret information. In this chapter, students could revisit that exercise by seeing how much they can find out about each other from web sites.

Chapter Exercises 1.

Present arguments for and against having a so-called aging function for personal Internet data. That is, some postings might be automatically removed after one month, others after one year, others after one decade. Is this a feasible way to secure privacy? Why or why not? Privacy is not always related to the age of the data. In some cases, posting the sensitive data for even a second is too long. For example, an athlete suspected of using drugs would not want his or her blood test results posted even for a second. Furthermore, the Internet does not include an “erase” function: Once data items are posted, they are available for immediate copying and reposting, out of the control of the original poster.

One way to reduce correlation might be to use multiple identifiers or database keys. For example, you might have one number for a driver’s license, another to identify you to your university or employer, another to use at the library. Does this system of multiple identification numbers prevent the kinds of correlation we have explored in this chapter? Explain why or why not. Having multiple numbers complicates, but does not eliminate, the possibility of correlation. If an analyst can find some basis for correlation, for example postal code, address, initials, food preference, shopping habits, and so forth, the analyst can form a tentative or positive connection between one number and another, which results in being able to link all data associated with the driver’s license number and all data associated with the employer’s number. Remember, too, that these associations occur without the user’s knowledge or even ability to refute. Thus, if number A123 is a convicted felon, and number XYZ456 is a minister, and an analyst (or analysis program) concludes that A123 and XYZ456 are the same person, that program can

Chapter 18: My 100,000 Nearest and Dearest Friends

Analyzing Computer Security — Solutions Manual ., Inc.

108

propagate the association that the minister is a felon, without the minister’s being able to protest. 3.

From an ethical perspective, argue whether a school is justified in making videos of students using computers outside of school (for example, at home). The school owns the computers and issues them to students for use in doing school work. What ethical principles would justify a school’s monitoring in this way? Would a school be similarly justified in recording which web sites the student had visited or recording all of a student’s keystrokes? Explain your position, citing ethical principles, not just personal opinion. Ethically, the school’s justification should be stronger than the student’s privacy right, and the school should ensure that nobody else is accidentally recorded (for example, someone walking past in the background). Ware’s fair information practices [WAR73a] require that a subject be given notice of the collection of the data and be able to challenge its accuracy. The principles also require that the data collected be used only for the purpose for which it was collected. The school should meet all these requirements in order to record students, or their keystrokes. An added complication is that these students may be minors, too young to be able to understand and reliably grant consent.

From an ethical perspective argue whether a company is justified in making videos of employees using computers outside of the office (for example, at home). The company owns the computers, and issues them to employees for use in doing business work. What ethical principles would justify a company’s monitoring in this way? Would a company be similarly justified in recording which web sites the employee had visited or recording all an employee’s keystrokes? Explain your position, citing ethical principles, not just personal opinion. The situation is largely the same as in question 3. Data collection would have to meet a more significant need than the privacy that is being denied. Fair use of private data still applies. Probably the employees will not be minors, so they are presumed to be able to give their own consent.

Consider a file of student records. What data items in that file would be inherently sensitive? Would any attributes (fields) or records (individual’s grades) necessarily be sensitive? Explain your answer. The association of a grade and a student is sensitive. Grades, themselves are of low sensitivity, as long as it is impossible to relate a specific grade to an individual student. There might be a minor sensitivity in knowing that Professor Smith gave five As, three Bs and two Ds in a class, in part because it might reflect on that professor’s grading standards, but more importantly because it would say that two of the ten people in the class received grades of D (which might be combined with other data to identify those two people precisely). Names of students are usually not sensitive, nor are the courses they took. However, the fact that a single student enrolled in the same course four times might be more sensitive. A single student is usually sensitive for privacy reasons. However, a known person, for example the son of a senior government official or the daughter of a movie star, might be more sensitive because the entire family is of popular interest.

Chapter 18: My 100,000 Nearest and Dearest Friends

Analyzing Computer Security — Solutions Manual ., Inc.

109

Describe a situation in which the source of data could be sensitive, even more so than the data item itself. Data from a police informer, especially someone providing incriminating evidence against a violent figure.

What might be reasonable values of n and k for the rule of n items over k percent as a basis for suppressing disclosure of sensitive data? The values depend on the size of the data set. For 100 data items, 5 percent is a relatively narrow focus, but for a database of 1 million items, 1 percent is still a large population.

Explain why the sum of sensitive data might also be sensitive. Explain why the count of sensitive data items in a list of data might be sensitive. Sum: Consider salary, in a database of five people. If other factors indicate four of the five people have a modest income, and the sum is extremely high, it may be possible to estimate the four modest amounts, even to within a factor of two, and from that infer a rough estimate of salary. An example of a sensitive count is the count of people in an area who have been convicted of a violent crime. A count of zero is both uninteresting and reassuring, but any count above zero is interesting, especially if the sample size is small. (This situation can also cause people to look suspiciously at their neighbors.)

For a day, monitor your queries on a search engine. Suppose someone had access to those queries, knew they came from you, and knew your name. What would these queries reveal about you? Might an analyst derive any wrong inferences about you from your queries? Could the analyst validate these inferences in some other way?

Individual student responses. 10.

If you wanted to protect your privacy, suggest some methods you might use to prevent disclosure of sensitive information about you from analysis of your search queries as in the previous question. First, use several different computers. Second, encourage other people to use your computer. Third, intersperse queries to confuse the analysts. Fourth, avoid queries that correlate from previous separate queries.

11.

Suggest a design for a filter that would distinguish queries revealing sensitive data about the inquirer from those that do not reveal anything. What qualities would indicate that a query was sensitive?

This is a difficult question, as it requires the student to define ”sensitive,” which society at large has not yet done. The student should begin by recognizing the need to define sensitive, as a first step in being able to identify sensitive data. Then the student should recognize that correlation, inference, and aggregation apply. The student’s response should not reflect only numerical data (even though most of the discussion in this chapter involved sensitive quantities). Finally, the student’s design should reflect an understanding that sensitive data can have synonyms, so that restricting only robber but not thief is acceptable. 12.

Credit card fraud is rampant. List the characteristics of credit card numbers that permit credit card fraud. Describe a less susceptible alternative means of paying for goods.

Chapter 18: My 100,000 Nearest and Dearest Friends

Analyzing Computer Security — Solutions Manual ., Inc.

110

A credit card number is static, it is frequently reused, it is exchanged in plain sight, and it is not necessarily associated with a given person. The following steps would reduce the amount of credit card fraud: changing card numbers only having to give out part of it for each use, passing it in a form that prevented the receiver from copying and reusing the number, or requiring the number to be related to some aspect of the user (for example, one merchant would have to note if the user was right- or left-handed, another would have to note the user’s approximate age, and another would have to note whether the user wore eyeglasses). 13.

It is difficult to make an anonymous purchase with a credit card. Describe an alternative means of paying for goods on the Internet that would preserve the purchaser’s anonymity. Several people have proposed anonymous cash. A customer could fund a credit account, for example using an anonymous money order from a post office or bank. Then the customer could draw against that account by stating the account’s secret number and perhaps an access code. Changing the access code frequently would deter replay attacks.

14.

Find web sites for three similar institutions, for example, banks, that obtain and handle sensitive user data. From each web site obtain the site’s privacy policy. Compare these three policies to determine which site offers the greatest privacy to the user.

Student’s solution. 15.

Find web sites for three dissimilar institutions, for example a bank, a merchant, and a school, all of which have privacy statements. Compare these three policies to determine which site offers the greatest privacy to the user.

Student’s solution. 16.

Is legal protection an effective countermeasure against a web site owner’s obtaining and redistributing sensitive personal data about users? Explain the difficulties or efficacy of using the law to provide such protection. Laws are useful both to deter illegal activities and to obtain some restitution for innocent victims. However, laws are not totally effective. First, some people violate laws, regardless of the potential penalty. Some people assume they can avoid detection or conviction. Second, laws relate to a particular geographic or political region: the laws of one country are meaningless for crimes in another country. But jurisdiction is an important consideration: With computer crimes, especially data collection and dissemination, the victim may be in country A, using a web site hosted in country B but run by a hosting service with offices in C and servers in D, E, and F, when the data was obtained by an aggregator in G and given to someone in H. Which country’s laws are relevant? Third, Prosecuting a case requires time and money, which may be expensive to the victim, or may be of low priority to a jurisdiction having limited funds for its court system. And the legal system is careful, deliberate, and fair, but those characteristics tend to make it slow. Finally, legal remedies, jail sentences and fines or monetary judgments, may not be adequate or appropriate compensation for someone whose personal privacy has been violated. Thus, although the legal system is necessary, important, and effective, it is not always the best countermeasure for a computer security problem.

Chapter 18: My 100,000 Nearest and Dearest Friends

Analyzing Computer Security — Solutions Manual ., Inc.

111

Additional Exercises 1.

What characteristics of Facebook or similar social media sites make it a large risk for loss of personal data. Users tend to be younger people who do not appreciate the risk of posting sensitive data. Also, such inexperienced users do not understand the complexities of setting privacy options.

A person signs an order giving consent for some personal data item to be displayed on the Internet. Subsequently, she reconsiders and wants to withdraw that consent. Under what circumstance is that possible; under what circumstances is it impossible? If the data can be recalled before they have been posted, the woman is safe. However, as soon as data are on the Internet, search engines will begin to detect the data and make copies for their own caching and analysis purposes. Furthermore, other users who can obtain access can copy the data themselves. Thus, as soon as the data are posted, you should consider them exposed to the world and unrecallable.

List several factors that could make a sample nonrandom. In theory, in an unordered population, the first ten entries would be random. However, if there is any order to the set, taking entries from any specific positions could jeopardize randomness. If any data items are more likely to be selected than any others (for example, longer or shorter items are preferred), that would introduce a nonrandom quality. Attempts to ensure that the selection represents the underlying population can also make the selection nonrandom. For example, if the dataset consists of people from several countries, and 10 percent of the people come from Italy, in a sample of size 1000 you would expect roughly 100 selections from Italy. Reducing that to a sample of size 10, you might expect one person from Italy, perhaps two or maybe three, but certainly not all ten. However, if all names were in a hat, and you fairly picked ten names, you might by chance end up with all ten selections coming from Italy; that is the nature of randomness. However, in some situations you do not want randomness, but instead you want a sample that reflects the distribution of the underlying population. In this case, you would want exactly one of the ten people in the sample to have come from Italy. This constraints definitely skews the randomness.

Which of Ware’s principles of fair information practice [WAR73a] are followed by common web search engines, such as Google or Bing? Which are followed by common applications, such as Firefox browser? Which are followed by popular web sites, such as Travelocity or microsoft.com? It is impossible to answer this question definitively. Google and Bing list privacy policies, but these policies can be freely changed at any time. Travelocity and Microsoft collect data for a number of purposes, and there is little evidence what data they collect, or what they do with it.

What controls can a user exercise to preserve privacy. Sadly, the user has few options. To preserve privacy on a local computer, the user can employ all the technical controls (such as access control mechanisms, encryption, or separation) that we have described in this book. In communication with another

Chapter 18: My 100,000 Nearest and Dearest Friends

Analyzing Computer Security — Solutions Manual ., Inc.

112

trusted party, the user can use the authentication and encryption protections. However, if a user shares data with another unrelated or, worse, untrusted party, none of these controls applies. 6.

Does a merchant have to offer the same price to every customer? Should the merchant be required to? Explain you answer. A merchant can offer an object for sale at any price, as long as the process does not discriminate against a protected group (for example, selling to members of one racial group at a different price from those of another racial group). In some situations, prices are fixed, and the merchant can sell an item for only that price. Generally, however, a merchant is free to price any object at any price to any customer. The economic principle of a free market means that the optimum balance of price and profit occurs if there is this freedom to set prices. A free market, however, implies that buyer and seller are effective opponents; neither has a necessary advantage over the other. If either can predict the other’s behavior, that side can win unfairly.

Is separation an effective control for database security? Is it effective to prevent aggregation? Separation is powerful and effective. Separation counters the objective of a database, which is to support efficient access to an entire data collection, including particular subsets. Thus, separation will probably limit the effectiveness of a database, in the sense that certain queries cannot be run. However, as such it does prevent certain forms of aggregation. This is an example of a security control that limits functionality or usefulness.

One student suggested changing all sensitive terms to numbers, so if Paris, Vienna, and Tokyo were sensitive, they would be replaced by 1, 2, and 3 in a database. Is this an effective countermeasure? Why or why not? It is probably not effective. At some point an association may be found between 1 and Paris. For example, Air France flight 1738 travels from Paris to Vienna, so an entry for that flight number in the database could help an analyst to infer the association with numbers 1 and 2. It is difficult to prevent analysts from consulting information sources outside the database, for example, public reference works.

Chapter 18: My 100,000 Nearest and Dearest Friends

Analyzing Computer Security — Solutions Manual ., Inc.

113

Afterword This concluding chapter raises a few points that rise above the individual attacks, threats, vulnerabilities, and countermeasures from the rest of this book. These points are intended as further thoughts to stretch students’ imaginations, while at the same time causing them to think of important large problems with security implications. The chapter concludes with several suggestions for action. Your students could address the following task: If you were the top cybersecurity advisor to the government, and you could recommend no more than five actions that would improve the nation’s cybersecurity, what would those five actions be? How many would be technological? How many would involve policy or law? How difficult would it be to achieve compliance? (You can pass a law, but that does not mean people obey it.) What incentives might encourage people to do what you want? Which threats would each action address? How effective would be the action in detecting, preventing, or recovering from harm?

Afterword