Deck A

Question 1

What is Bluesnarfing

Answer 1

A cyber attack involving unauthorised access to information from wireless devices through bluetooth

Question 2

What is Bluejacking

Answer 2

An attack that sends unsolicited messages to Bluetooth-enabled devices

Question 3

What is BlueSmacking

Answer 3

A Denial of Service attack that overwhelms a device’s Bluetooth connection

Question 4

What is Bluebugging

Answer 4

A technique used to gain control over a device via Bluetooth

Question 5

What is BlueBorne

Answer 5

A set of vulnerabilities that allow attackers to take control of devices, spread malware, or perform other malicious activities via Bluetooth

Question 6

What is KNB

Answer 6

KNB is an attack that manipulates the data encryption process during Bluetooth connection estbalishment, weakening security

Question 7

What does KNB stand for

Answer 7

Key Negotiation Bluetooth

Question 8

What does BIAS stand for

Answer 8

Bluetooth Impersonation AttackS

Question 9

What does BIAS do

Answer 9

BIAS is an attack that exploits the pairing process allowing an attacker to impersonate a trusted device

Question 10

What is a Car Whisperer

Answer 10

A Bluetooth hack that targets vehicles, attackers can exploit to remotely unlock car doors or even start the engine without physical access

Question 11

What is bluetooth designed for

Answer 11

Transferring data over short distances from fixed and mobile devices

Question 12

What is a network of bluetooth devices called

Answer 12

Piconet

Question 13

What are multiple piconets called when they can interact

Answer 13

Scatternet

Question 14

What are risks with bluetooth

Answer 14

Unauthorised access, data theft, interference and device tracking

Question 15

What is the legacy Bluejacking attack

Answer 15

Sending unsolicited messages to Bluetooth-enabled devices, does not involve stealing data but rather an annoyance. AirDrop suffered from Bluejacking when people had Airdrop settings to Everyone, got fixed with Everyone being disabled after 10 min

Question 16

What is the legacy Bluebugging attack

Answer 16

An attacker gains full contol over a Bluetooth-enabled device allowing them to access and modify information, attacker does this by tricking the victim into pairing with a trusted device or brute forcing a pairing PIN

Question 17

What is BlueBorn attack

Answer 17

Threat presenting hackers the ability to exploit Bluetooth connections and gain complete control over targeted devices from computers mobile TV etc. did not require them to be paired or set on discoverable mode

Question 18

What does KNOB or KNB do

Answer 18

Exploits a flaw in the Bluetooth standard to undermine the encryption of Bluetooth connections that during pairing the attacker can intercept and set the length of the encryption key to one byte which can be bruteforced

Question 19

What are bluetooth attack mitigations

Answer 19

Keep devices updated, disable bluetooth when not needed, don’t connect to random devices

Question 20

What is Cryptanalysis

Answer 20

Cryptanalysis is the process of decrypting coded or encrypted data without access to the key used in the encryption process

Question 21

What is Cypher text

Answer 21

Cypher text is the scrambled, unreadable form of the plain text resulting from an encryption algorthm, this transformation is controlled by a key which is used in the encryption/decryption process.

Question 22

What is a Symmetric encryption

Answer 22

Same key is used for encryption/decryption

Question 23

What is Asymmetric encryption

Answer 23

Public key is used for encryption and private key is used for decryption

Question 24

What is frequency analysis

Answer 24

Based on the statistical study of the letters and symbols in the cypher text, if the freq. of characters in the cypher text matches the freq. of letters in the plain text it can provide clues to the substitution used

Question 25

What is a Cryptanalysis Side Channel Attack

Answer 25

A Cryptanalysis Side Channel Attack refers to a category of crypographic attacks that exploit information inadvertantly leaked during the execution of cryptographic algorithms

Question 26

What are the three types of cryptanalysis sidechannel attacks

Answer 26

Timing attacks, Power-monitoring attacks and Acoustic attacks

Question 27

What is a timing attack in cryptanalysis

Answer 27

Where an attacker gains information based on the amount of time the system takes to process different inputs. The attack measures the computation time to make informed guesses about the secret key

Question 28

What is a mitigation of a timing attack

Answer 28

Using constant-time algorithms to remove the correlation between data-dependant computation times and secret information

Question 29

What is a power monitoring attack in cryptanalysis

Answer 29

An attacker can exploit the variations in a devices power consumption to extract information based on the observation of the power consumption of a device during the execution of cryptographic operations.

Question 30

What are the two different types of Power monitoring attacks

Answer 30

Simple Power Analysis (SPA) and Differential Power Analysis (DPA)

Question 31

What is a SPA

Answer 31

Simple Power Analysis

Question 32

What is a DPA

Answer 32

Differential Power Analysis

Question 33

What does a SPA do

Answer 33

The attacker interprets the power consumption graph to identify operations, a spike in power could mean a specific operation

Question 34

What does a DPA do

Answer 34

A more sophisticated attack collecting power consumption data for many operations and using statistical analysis to find correlation between power consumption and values in bits in the secret key

Question 35

Mitigation of Power monitoring attacks

Answer 35

Power regulation and randomisation techniques to make power analysis more difficult

Question 36

What is Acoustic Cryptanalysis attack

Answer 36

Where an adversary seeks to extract information by analysing the sound emissions it produces during operation, sound emissions often correlate with different internal states or operations. The sound produced by the computers CPU or fans can change based on the computation being performed

Question 37

Mitigation of acoustic cryptanalysis attack

Answer 37

Use sound-absorbing materials in device construction and phyisically isolating sensitive components to reduce sound emissions

Question 38

What is the Spectre vulnerabiltiy

Answer 38

Spectre is a microprocessor vulnerability which breaks the isolation between applications allowing an attacker to trick error-free programs into leaking secrets.

Question 39

What is the Meltdown vulnerability

Answer 39

Meltdown is a microprocessor vulnerabiltiy that dissolves the isolation between user applications and the operating system allowing a malicious program to access the memory of other programs and the operating system

Question 40

What is the different between BFLA and BOLA

Answer 40

In BOLA the user is allowed to use the endpoint, in BFLA they are not authorised to use that endpoint

Question 41

What is BOLA stand for

Answer 41

Broken Object Level Authorisation

Question 42

What does BFLA stand for

Answer 42

Broken Function Level Authorisation

Question 43

What is SSRF

Answer 43

SSRF occurs when a web server fetches a remote resource and does not verify if that is an allowed link to the resource

Question 44

How can we determine SSRF

Answer 44

Using a netcat connection to ourself or to the localhost:80

Question 45

How to prevent SSRF

Answer 45

Remote resources checked against whitelist, not accepting user-input

Question 46

What is HTTPS also known as

Answer 46

HTTP over TLS

Question 47

What does TLS stand for

Answer 47

Transport Layer Security

Question 48

What does SSL stand for

Answer 48

Secure Sockets Layer

Question 49

What are the 3 levels encryption can be applied at

Answer 49

Encryption at rest - Encryption-in-transit, End-to-end encryption

Question 50

What is encryption at rest

Answer 50

Stored in an encrypted format to prevent unauthorised access

Question 51

What is encryption in transit

Answer 51

Data that is transmitted is encrypted before transmission and decrypted after reception

Question 52

What is end to end encryption

Answer 52

Encrypts data from the true sender to the final recipient such that no other party can access the data

Question 53

AES DES 3DES Blowfish, RCx are all?

Answer 53

Symmetric encryption

Question 54

Name 5 symmetric encryption types

Answer 54

AES DES 3DES Blowfish RCx

Question 55

Is the RCx family symmetric or asymmetric

Answer 55

Symmetric encryption

Question 56

What are the 4 RCx

Answer 56

RC2, RC4, RC5, RC6

Question 57

Name 6 asymmetric encryption types

Answer 57

RSA, DSA, ElGamal, ECC, DH, ECDH

Question 58

RSA DSA ECC DH ECDH are all

Answer 58

Asymmetric encryption methods

Question 59

What is a Public Key Infrastructure

Answer 59

A PKI comprises roles and processes responsible for the management of digital certificates, creation and revocation of certificates

Question 60

What is the purpose of a Certificate

Answer 60

The purpose of a Certificate is the bind public keys to an identity this proves the identity of the public key owner, ensuring when we encrypt data using a publi key only the designated recipient will receive it

Question 61

What is a Certificate Authority

Answer 61

CA’s are entities that are allowed to issue certificates,

Question 62

How can we verify the identity of a CA

Answer 62

Through a CA Certificate

Question 63

Where does the chain of CA’s lead to

Answer 63

A root CA

Question 64

What does a cipher suite do

Answer 64

A cipher suit defines the cryptographic algorithm used for a connection

Question 65

What is the format of a cipher suite

Answer 65

KeyExchangeAlgorithm_ServerAuthentication_WITH_EncryptionWithMode_MACAlgorithm

Question 66

Example of cipher suite

Answer 66

TLS_DH_RSA_WITH_AES_128_CBC_SHA256

Question 67

What does PFS stand for

Answer 67

Perfect Forward Secrecy

Question 68

What does PFS do

Answer 68

Means an attacker is not able to decrypt past messages even after obtaining a session key

Question 69

What cipher suites have PFS

Answer 69

All TLS 1.3 and TLS_DHE and TLS_ECDHE have PFS

Question 70

What improvements does TLS 1.3 have over 1.2

Answer 70

Dropping support for insecure cryptographic parameters and improving session establishment time

Question 71

What does a TLS 1.3 cipher suite contain

Answer 71

EncryptionAlgorithm_Mode_HashFunction

Question 72

What is a block cipher

Answer 72

A type of symmetric encryption algorithm that operates by splitting the input into blocks and encrypting the input block by block. It requires the input be divisible by the block size otherwise padding is added

Question 73

What is padding

Answer 73

Padding is the extra data added to reach the correct length so that the input is divisibile by the block size if AES block size is 16 and input is 30 we need to add 2 padding bytes to reach 32 bytes

Question 74

What is a padding oracle

Answer 74

Padding oracle attacks are the result of verbose leakage of error messages regarding the padding when the CBC encryption mode is used

Question 75

When does a padding oracle exist

Answer 75

A padding oracle exists if the system reveals whether the padding is valid or invalid through different error messages responses or timings

Question 76

What does POODLE stand for

Answer 76

Padding Oracle on Downgraded Legacy Encryption

Question 77

What does BEAST stand for

Answer 77

Browser Exploit Against SSL/TLS

Question 78

Wht are POODLE and BEAST

Answer 78

Both are padding oracle attacks that target encrypted data transmitted in SSL 3.0

Question 79

What is the SSL 3.0 padding scheme

Answer 79

The last byte is the length of the pad excluding that byte (n-1) and all other padding bytes are arbitrary

Question 80

Example of SSL 3.0 padding

Answer 80

DE AD BE EF is 4 bytes and we need 8 bytes so it becomes DE AD BE EF 00 00 00 03

Question 81

What is the essence of the POODLE attack

Answer 81

It forced the victim to send a crafted request containing a full block of padding meaning the attacker already knows the last byte then changing the data in the last block

Question 82

Prevention of POODLE

Answer 82

Disabling the use of SSL 3.0 entirely

Question 83

What is the Bleichenbacher Attack

Answer 83

A type of attack targeting RSA encryption in combination with PKCS#1 padding, if the web server leaks whether the padding was valid or not the attacker can decude informatiomn about the original unmodified plaintext and repeat it

Question 84

Prevention of Bleichenbacher attack

Answer 84

Not revealing padding information to the TLS client

Question 85

What is the DROWN attack

Answer 85

A type of Bleichenbacher attack that exploits a vulnerability in SSL 2.0

Question 86

What does DROWN stand for

Answer 86

Decrypting RSA with Obsolete and Weakened eNcryption

Question 87

Prevention of DROWN

Answer 87

Disabling SSL 2.0

Question 88

What does CRIME stand for

Answer 88

Compression Ratio Info-Leak Made Easy

Question 89

What does CRIME do

Answer 89

It targets the TLS compression and can target cookies for example, the attacker can append a param with the same name as the cookie and an arbitrary value (sess=XXXXX) then observe response length, and replace sequentially (e.g: sess=aXXXX) to see if response length is smaller meaning it was compressed and is a correct character

Question 90

What does BREACH stand for

Answer 90

Browser Reconnissance and Exfiltration via Adaptive Compression of Hypertext

Question 91

What does BREACH do

Answer 91

A variant of the CRIME attack that targets HTTP-level compression meaning it leaves the HTTP headers uncompressed and we can only attack the HTTP body for things like CSRF tokens

Question 92

What is the Heartbleed Bug

Answer 92

The heartbleed extension was implemented to check if a TLS connection is alive with a request in format of (, ) but it was found that the length is not validated and can send a small payload with a large data field and the server will respind with memory beyond the sent payload

Question 93

Prevention of Heartbleed bug

Answer 93

Updating from vulnerable OpenSSL version 1.0.1 through 1.0.1f

Question 94

What is SSL Stripping

Answer 94

SSL Stripping is forcing a victim to not use HTTPS but fall back to insecure HTTP

Question 95

What is ARP spoofing

Answer 95

Sending a forged/spoofed ARP response to become a MiTM and receive packets destined for a different host/MAC

Question 96

What is the mitigation of a SSL stripping attack

Answer 96

The header Strict-Transport-Security (HSTS)

Question 97

What does HSTS stand for

Answer 97

Header Strict-Transport-Security

Question 98

What does the HSTS do

Answer 98

The header tells the browser that the target should only be accessed through HTTPS any attempts to access the site via HTTP are rejected and converted to HTTPS

Question 99

What does Lucky13 exploit

Answer 99

A timing difference in the MAC stage when the CBC mode is used. Lucky13 exploits the fact that MAC computation is still slightly longer in some cases

Question 100

What does FREAK stand for

Answer 100

Factoring RSA Export Keys

Question 101

What does FREAK exploit

Answer 101

Weak encryption used in SSL 3.0 and TLS 1.0 due to US restrictions

Question 102

What are export keys

Answer 102

Deliberately weak to comply with regulation in the US that restricted the export of strong cryptographic software

Question 103

What is a Downgrade attack

Answer 103

The victim is forced to use a older and insecure version of TLS or cipher suite

Question 104

What is a Cipher Suite rollback

Answer 104

It is possible for a MiTM to intercept the ClientHello and alter the list of cipher suite. The ServerHello will then choose a vulnerable cipher suite which the attacker can break

Question 105

What SSL / TLS version does Cipher Suite rollback target

Answer 105

SSL 2.0

Question 106

What is a TLS Downgrade attack

Answer 106

Where a MiTM can interfere with the TLS handshake and make packets drop resulting in a handshake failure and eventially a downgrade connection from e.g: TLS 1.2 to TLS 1.1 so on so forth down to whatever vulnerable connection

Question 107

What TLS versions should only be offered

Answer 107

TLS 1.3 and TLS 1.2

Question 108

When should TLS 1.0 and TLS 1.1 be offered

Answer 108

Only if it is necessary to support for legacy reasons

Question 109

What connections are completely insecure

Answer 109

SSL 2.0 and SSL 3.0

Question 110

What cipher suites should never be used

Answer 110

NULL and EXPORT cipher suites

Question 111

What cipher should should be used

Answer 111

Cipher suites that offer PFS (which is all TLS 1.3 and ECDHE and DHE in TLS 1.2)

Question 112

What is SSTI

Answer 112

Where web applications that utilise templating engines too dynamically put content on the site can be exploited

Question 113

What does SSTI stand for

Answer 113

Server Side Template Injection

Question 114

What does SSI stand for

Answer 114

Server Side Include injection

Question 115

What is SSI

Answer 115

SSI can be used to generate HTML response dynamically. When SSI directives are not validated an attacker can inject commands into the SSI directives

Question 116

What are the extensions commonly used for SSI

Answer 116

.shtml .shtm .stm

Question 117

What is Web Cache Poisoning

Answer 117

Web cache poisoning forces a web cache to serve malicious content to unsuspecting users visiting a vulnerable site

Question 118

What is classified as a weak session ID

Answer 118

If an attacker can bruteforce it. Needs to be at minimum 16 bytes long

Question 119

What are some session vulnerabilities

Answer 119

Premature Session Population, Common Session Variables, Session fixation

Question 120

What is Premature Session Population

Answer 120

When information is prematurely uploaded to the session cookie such as a username being stored in the cookie temporarily to provide a customised login failed error message. The cookie is cleared upon seeing the error but hitting the /profile endpoint with that cookie lets you through as the username is in the cookie

Question 121

What is Common Session Variables

Answer 121

When there are functionalities that share the same variable such as a 3 step password reset and 3 step account create where the 2nd step in password reset is security question answer. What if we complete step 1 and 2 from account create and use that cookie to bypass step 2 in password reset

Question 122

What is XPath Injection

Answer 122

When we can XPath queries do not get sanitised and we can craft specific queries to read contents of an XML document

Question 123

What are some XPath injection methods used for blind exploitation

Answer 123

name() substring() and string-length()

Question 124

What is LDAP injection

Answer 124

If a LDAP query is not properly sanitised we can perform injection attacks primarily regarding authentication

Question 125

What is LDAP

Answer 125

LDAP is a protocol used to access directory servers such as AD

Question 126

What does LDAP stand for

Answer 126

Lightweight Directory Access Protocol

Question 127

What is a very basic two examples of LDAP injection

Answer 127

On a login form simply * for username and password or a real username and a * for password