Explain why any computer worm that operates without human intervention is likely to be either self-defeating or inherently detectable. ……..
The existence of worms in a computer system is possible only if there are flawed security policies which the worms can exploit. Self activating worms exploit vulnerabilities in the computer services which run at all times. The functioning of such worms is either by attaching to running services or by executing some commands in the system using permissions held by the attacked services. Currently most of software services which run all the time are made immune to such attacks or limited access to the services is implemented hence rendering them ineffective (Weaver et al, 2003).
2. Question C-4.8. (p.218)
Suppose that you want to use an Internet café to login to your personal account on a bank web site, but you suspect that the computers in this café are infected with software keyloggers. Assuming that you can have both a web browser window and a text editing window open at the same time, describe a scheme that allows you to type in your userID and password so that a keylogger, used in isolation of any screen captures or mouse event captures, would not be able to discover your userID and password.
According to Herley and Florencio (2008), if the keylogger is used in isolation of mouse events and screen captures, the best way is to type both in the browser window and the text editing window toggling the windows frequently. Since the keylogger does not know which screen has ha focus, it will not be able to determine on which window the key events took place. By typing random key strokes on the text editor between the successive key strokes of the username and password on the browser window, the keylogger receives a long string of keystroke data. Even if the username and password keystrokes are embedded within the long string, the logger is not in a position to separate the actual username and password keystrokes since they are embedded in the junk (Secure networks 2006).
3. Question C-5.5. (p.265)
Explain how to use the three-way TCP handshake protocol to perform a distributed denial-of-service attack, such that the victim is any host computer and the “bots” that are bombarding the victim with packets are legitimate web servers.
According to Elleithy et al, (2009), we can do it by creating a program that is wormlike with which we will install programs on legitimate web servers to attack a specific host machine. The attacker programs in the web servers work in the background to listen to the master program which will prompt the attackers to launch a denial of service attack against the target host. The web servers will use a three-way TCP handshake protocol to send connection requests which have invalid return addresses. Since distribute denial of service attacks can come from anywhere on the planet they are difficult to stop. To implement the attack, we can use the ping of death attack by launching it from the web servers against the victim host computer. The worm should not be self propagating and should carry the payload with it. It should sit silently in the assigned web server and wait for the master program to issue prompting orders to attack the target host machine.
4. Question C-5.15. (p.266)
Johnny has just set up a TCP connection with a web server in Chicago, Illinois, claiming that he is coming from a source IP address that clearly belongs to a network in Copenhagen, Denmark. In examining the session logs, you notice that he was able to complete the three-way handshake for this connection in 10 milliseconds. How can you use this information to prove that Johnny is lying?
In the three way handshake protocol for TCP, the signal must move between the senders to the receiver, the receiver returns a reply to the sender then the sender acknowledges having received the reply. This means, the signal must travel between the sender and receiver three times (Jaiswal et al, 2004). This means that in ten milliseconds, the signal should take about three milliseconds to travel from Chicago Illinois to Copenhagen in Denmark. Since the speed of light is about 186400 miles per second, this means that the distance between Chicago and Copenhagen is roughly about 559.2 miles which is geographically not true. The distance between Chicago Illinois and Copenhagen in Denmark is actually much bigger than 559.2 miles and therefore it is not possible to complete a three-way handshake connection in ten milliseconds between the two cities.
5. Question C-6.7. (p.324)
Describe the types of rules that would be needed for a rule-based intrusion detection system to detect a DNS cache poisoning attack.
According to Cymru (2008) you should perform evaluation of the infrastructure of the caching server followed by application of patches and upgrades that can help resolve the issue. Ensure that you install the latest version of the resolver and that is always running.
You should then limit accessibility to the caching resolvers by preventing anyone from sending queries to them. You should disable recursion in order to help thwart attacks by not allowing anyone to force the resolver into performing iterative queries.
The next rule is to enable logging and gathering of statistics from the caching resolver. This is by keeping records of the queries sent to the caching resolver for at least one week. You may capture DNS messages or raw data as they move in the network from the caching server by using a server that is dedicated to doing packet capture.
Finally, investigate technologies like the DNS security extensions to gain insight into how they work, their weaknesses and strengths and who is responsible for deploying them.
6. Question C-6.9. (p.324)
Describe the types of rules that would be needed for a rule-based intrusion detection system to detect a ping flood attack.
According to Wang et al (2007) perform packet classification in order to access the TCP header and identify FINs, TCP SYNs and RSTs. The identification should be done at the leaf routers, that is, entities trusted by clients within an intranet.
You should then place a detection mechanism both at the first-mile router and at the last-mile router to monitor the interface between the internet and the intranet.
The next rule is to examine the discrepancy between FINs and SYNs. For normal long running condition, semantics of the TCP require a one-to-one ratio between FINs and SYNs although in reality, there is always a discrepancy in this ratio. The discrepancy is caused by the small number of sessions of TCP which are long-lived and the occurrence of packets of RST. A TCP session may be terminated by a single packet of RST without FIN packets being generated hence this violates the FIN-SYN pair behavior (DAX networks 2003).
7. Question C-7.9. (p.384)
Ad servers are increasingly being used to display essential content for web sites (e.g., photos that are part of news items). Suppose that the same host is used to serve images for two different web sites. Explain why this is a threat to user privacy. Is this threat eliminated if the browser is configured to reject third-party cookies?
When a single ad server is used to serve two separate websites at the same time, it threatens the privacy of the website users in the sense that if a user visits a website which is composed of many objects from different servers will generate several HTTP requests directed to the servers each of which is controlled by different domain of administration. A cookie is normally associated with each of these requests. Since cookies are used to maintain a session with the server, a cookie is sent back unchanged by the browser every time that particular website is accessed. Other websites may therefore be used to track the users as they make the frequent visits.
An advertisement server can use third party cookies to tack a user across multiple sites where the advertisements have been placed. Apart from tracking users, third party cookies can be used to trace identities and even obtain personal information from social networks. The information may also be collected using java scripts since they can access cached information in browsers like history of visited links. Rejecting third party cookies will therefore limit such threats (European Network 2011).
8. Question C-8.1. (p.441)
What is the plaintext for the following cipher text, which was encrypted using a simple substitution cipher?
Cipher text: CJBT COZ NPON ZJV FTTK TWRTUYTFGT NJ DTN O XJL.Y COZ ZJV CPJVIK DTN O XJL MYUCN
Plain Text: SOME SAY THAT YOU NEED EXPERIENCE TO GET A JOB I SAY YOU SHOULD GET A JOB FIRST
Using frequency analysis, the general occurrence of letters of the English alphabet beginning with the most frequent letter is: E T A O I N S R H L D C U M F P G W Y B V K X J Q Z. In the cipher text above, following the same frequency of occurrence, the letters are represented as follows: C for S, J for O, B for M, T for E, O for A, Z for Y, N for T, P for H, V for U, F fro N, K for D, W for X, R for P, U for R, Y for I, F for N, G for C, D for G, X for J and L for B.
Cymru, T. (2008). Incident Response Guide to the Kaminsky DNS Cache Poison Exploit. MIT.
DAX networks, (2003). Ping Flood (ICMP Echo) Detection. New York.
Elleithy, K. M., Blagovic, D., Cheng, W. and Sideleau, P. (2009). Denial of Service Attack
Techniques: Analysis, Implementation and Comparison. Journal of Systemics,
Cybernetics and Informatics, Bridgeport USA.
European Network and Information Security Agency, (2011). Bittersweet cookies. Some security
and privacy considerations. Heraklion, Greece.
Herley, C. and Florencio, D. (2008). How to Login From an Internet Caf´e Without Worrying
About Keyloggers. Redmond: Microsoft Research.
Jaiswal, S., Iannaconne, G., Diot, C., Kurose, J. and Towsley, D. (2004). Inferring TCP
Connection Characteristics Through Passive Measurements. Intel Research, Cambridge
Secure networks, (2006). Defeating rootkits and key loggers. Los Angeles: Trlokom Inc.
Wang, H., Zhang, D., Shin, and K. G. (2007). Detecting SYN Flooding Attacks. EECS
Department, the University of Michigan.
Weaver, N., Paxson, V., Staniford. S. and Cunningham, R. (2003). A taxonomy of computer
worms .Washington DC: DARPA.
Having a similar paper….place your order now……….