Exam (by Lersch)

Question 1

Define passive and active attacks.

Answer 1

Passive attacks

• Eavesdropping: secretly listening to a conversation
• Traffic Analysis: the inference of information from observation of traffic flows

Active attacks

• Spoofing (Masquerading): the pretence by an entity to be a different entity
• Denial of Service (DoS): prevention or inhibition of the normal use or management of communication facilities

Question 2

Which are the six Security Services?

Answer 2

• Authentication
• Access Control
• Confidentiality
• Integrity
• Non-repudiation
• Availability

Question 3

How to attack each security services?

Answer 3

Authentication
- IP spoofing, cracking passwords

Access Control
- wire-tapping, breaking authentication

Confidentiality
- eavesdropping, traffic analysis

Integrity
- man-in-the-middle attack, replay attack

Non-repudiation
- deletion of log files, masquerading

Availability
- denial of service attacks

Question 4

What is jamming?

Answer 4

Disrupting the communication by interference on

the same frequency/band. DoS attack.

Question 5

What is an ideal jammer?

Answer 5

• Energy efficient
• low probability of detection
• High level of DoS
• Resistance to anti-jamming techniques

Question 6

How to measure an ideal jammer?

Answer 6

PSR = packets set / packets intended to be sent
PDR = packets successfully received / packets sent
JSR = (Pj.Bt.Gjr.Grj.Dtr².Ltr) / (Pt.Bj.Gtr.Grt.Djr².Ljr)
CI = |E'| / |V| . (|V|-1)

Question 7

Which are the four jamming strategies?

Answer 7

• Constant jammer: continually emits radio signal
• Deceptive jammer: continually emits regular packets
• Random jammer
• Reactive jammer

Question 8

How to detect a jammer?

Answer 8

Using statistics of Statefullnetwork activity.

Question 9

How to mitigate a jammer?

Answer 9

• Channel surfing
• Spatial retreat
• JSR manipulation

Question 10

Three broken security mechanisms of IEEE 802.11.

Answer 10

• Hidden SSID (sniff from header of management frames)
• MAC filtering (sniff allowed MACs and spoof them)
• WEP

Question 11

WEP encryption and decryption.

Answer 11

M’ = IV || ((M || CRC(M)) XOR (RC4(IV || key)))
M = RC4(IV || key) XOR ((M || CRC(M)) XOR (RC4(IV || key)))
OBS: demux ICV and M from previous result. Calculate ICV from M and compare for integrity.

Question 12

Two types of WEP authentication.

Answer 12

• Open System Architecture: AP associates all STA, authentication provided by ability to encrypt messages correctly after association.
• Shared Key Authentication: challenge-response algorithm.

Question 13

WEP weaknesses.

Answer 13

• keys (no key management, length is only 40 bits)
• encryption (reuse of IV, affects confidentiality & integrity)
• shared key authentication:
  ciphertext = RC4 XOR (challenge || CRC(challenge))
• key scheduling (recover secret key, needs IVs and first two octets of encrypted messages)

Question 14

Which are the three categories of GSM channels?

Answer 14

• Traffic Channels (point-to-point between antenna & MS)
• Common Control Channels (signaling between previous)
• Dedicated Control Channels ( signaling related to services such and handover procedures or connection establishment)

Question 15

Which are the three attacks on GSM networks?

Answer 15

• IMSI-Catcher (MitM, rogue antenna, turn off encryption)
• DoS (answer paging req. with channel req. before)
• Hijacking Services (GSM networks don’t authenticate all services, attacker can redirect to itself, use IMSI-Catcher to turn off encryption).

Question 16

Which are the 4 ways to open your car and start the engine?

Answer 16

• Old-school metallic keys
• Immobilizers (chips in the key, close proximity, auth.)
• Active keyless entry (button on key, up to 100m)
• Passive keyless entry & start (detection of proximity)

Question 17

How does the PKES security works?

Answer 17

• Authentication: challenge-response protocol

- Proximity inferred from the ability to receive messages

Question 18

What are relay attacks on PKES?

Answer 18

Messages are relayed from one location to another in order to make one entity appear closer to the other. Does not require breaking cryptography.

Question 19

Countermeasure for relay attacks on PKES?

Answer 19

Distance bounding by measuring propagation delay.

Question 20

Which are the six attacks on WSN?

Answer 20

• Tampering (physical access of nodes, cold boot)
• Exhaustion & Interrogation (superfluous & expens. op.)
• Tampered forwarding (modify dev behaviour or rout. tab.)
• Wormholes (side-channel that provides advantage)
• Sybil attack (node with multiple ids and arbitrary location)
• HELLO flooding (broadcast of false neighbor status)

Question 21

Which are the countermeasure for each of the WSN attacks?

Answer 21

• Tampering: camouflage, sensors to detect, use CPU registers or CPU cache, encrypt data in RAM)
• E&I: auth. requests, rate-limited responses (bases on recent history of request traffic), client puzzles
• Tampered fwd: disjoint routing paths, node listen channel to make sure neighbor transmited same message, auth. routing updates, periodic end-to-end probing, geo-location for routing, diversity coding)
• Wormholes: geographic fwd, auth. routing messages
• Sybil attack: auth. nodes and identities, loc. verification
• HELLO flooding: bi-directional verification of local links, auth. nodes

Question 22

What is diversity coding?

Answer 22

Transmit data over multiple independent paths with redundancy. Split messages in N >= 2 chunks. Compute parity XORing all chunks. M-for-N diversity codes, recover M link failures when M+N links.

Question 23

How to scan a network?

Answer 23

• ping

- nmap

Question 24

How to mitigate scan?

Answer 24

• turn off response to echo protocols

- port knocking (sequence, packet payload, inter-arrival time of packets)

Question 25

Which are the six DoS attacks?

Answer 25

• Ping of Death (old systems, send malformed packet)
• Teardrop (negative offset of fragmented packets, uint)
• Ping flood: send many pings to victim
• Smurf attack: broadcast ping using victim address
• SYN flood: TCP buffer for half-open connection is limited
• LAND: send SYN with victim as source and destination

Question 26

Which are the two firewall strategies?

Answer 26

• Blacklisting

- Whitelisting

Question 27

What is Ingress Filtering?

Answer 27

Routers know IP ranges of networks connected to each port. Avoid IP spoofing and related attacks.

Question 28

Which are the two approaches for packet filtering?

Answer 28

• Stateless

- Statefull (record outgoing packets, match incoming packets)

Question 29

Which are the five built-in chains in netfilter?

Answer 29

• Prerouting
• Forward
• Input
• Output
• Postrouting

Question 30

Which are the limits for packet filters?

Answer 30

• Bugs in upper layers
• Only help against attacks from outside
• Port-forwarding and tunneling (encrypted, SSH)

Question 31

Which are the three detection types of IDS?

Answer 31

• Signature-based: search intrusion-related signatures
• Anomaly-based: search changes in network activity
• Protocol-based: search misbehavior in protocols

Question 32

What characterizes a good IDS?

Answer 32

• Accuracy
• Performance
• Fault tolerant
• Timeliness

Question 33

Where an IDS should be placed?

Answer 33

• Router: for external attacks

- Switches: for internal attacks

Question 34

Which are the limits for IDSs?

Answer 34

• Signature-based only detect known attacks
• The larger the signature DB, the higher the processing
• Scans over longer period of time with different sources
• Fragment packets sent over longer periods of time
• DoS: flood IDS with possibly invalid fragments

Question 35

Describe the Man-in-the-Middle attack based on ARP.

Answer 35

ARP messages are kept in ARP cache of hosts.

1. Alice broadcasts an ARP request to find Bob.
2. Attacker respond to Alice saying it is Bob, but giving its own MAC.
3. Alice updates her ARP cache and send messages to attacker.
4. Attacker redirects Alice’s and Bob’s messages using ARP spoofing.

Question 36

What are other attacks based on ARP?

Answer 36

ARP Cache Overflow: flood host with ARP replies.
ARP Storm: poison the caches with broadcast addresses (bring network performance down).
DoS: update ARP cache for all hosts with non-existing MAC addresses.

Question 37

What are the defenses against ARP poisoning?

Answer 37

Switches can use IP-MAC-Port binding, accepting only fixed MAC addresses with fixed IPs at fixed Ethernet ports.

Question 38

How to provide privacy on the internet?

Answer 38

• E2EE: SSL/TLS

Question 39

What do SSL/TLS provides?

Answer 39

• Peer entity authentication
• User data confidentiality
• User data integrity

Question 40

Why not use TLS to encrypt all web traffic?

Answer 40

• Slows down web servers
• Breaks internet caching (can’t cache encrypted sites)
• Not all information needs encryption

Question 41

What are the steps for TLS Handshake?

Answer 41

1. Client hello
2. Server hello, certificate, key exchange, certificate request
3. Certificate, key exchange, certificate verify
4. Finished
   5.

Question 42

What does a TLS connection state between two parties holds?

Answer 42

• Compression algorithm
• Encryption algorithm (also the encryption key)
• MAC algorithm (also the hash key)

Question 43

How does TLS verify a peer entity?

Answer 43

1. Server request to be certified by CA
2. CA sends server certificate encrypted with private key
3. Browser has root certificates (pairs)
4. Client connects to server
5. Server sends client his certificate
6. Client use CA public key to verify server certificate

Question 44

Which are the three approaches for key exchange in TLS?

Answer 44

• RSA (mandatory)
• Diffie-Hellman (server certificate contain DH parameters)
• Anonymous Diffie-Hellman (vulnerable to MitM attack)

Question 45

Which MAC algorithms are used in TLS?

Answer 45

• MD5 (broken)

- SHA (mandatory)

Question 46

How does a Tor client negotiates a key with each selected onion router?

Answer 46

• Diffie-Hellman

Question 47

Which are the limitations of Tor?

Answer 47

• Analyse traffic patterns and try to correlate
• Choose of bad entry and exit nodes
• Introduce special signal into sender traffic to identify it
• Directory attacks to advertise routes
• TCP only
• Cookies can reveal identity
• Compromised copy of Tor

Question 48

What are Tor directory servers?

Answer 48

Multiple and redundant servers that advertise a list of all available onion routers by majority voting.

Question 49

Which security mechanisms does OpenPGP provide?

Answer 49

• Encryption
• Digital signatures
• Compression
• Key management
• Certificate services

Question 50

How does OpenPGP implements encryption?

Answer 50

Each message is encrypted with different key and symmetric cryptography. Key is encrypted with asymmetric cryptography.

Question 51

How does OpenPGP provides authentication, integrity and non-repudiation?

Answer 51

With signatures. Sender creates hash sum of message. Sender uses his own private key to encrypt the hash sum.

Question 52

Which is the problem with OpenPGP Signatures?

Answer 52

If hash function is not collision-free.

Question 53

Which is the difference between viruses and worms?

Answer 53

Virus spread within the system. Worms self-propagate across the Internet.

Question 54

How can we find new worms?

Answer 54

• Network telescope to monitor large range of unused add
• Honeypots
• IDS

Question 55

Which are the five roles in a botnet?

Answer 55

• Developer
• Client
• Victim
• Passive participant
• Botmaster

Question 56

How does the botmaster controls the botnet?

Answer 56

• Command & control messages via a C&C channel

Question 57

Which are the three botnet architectures?

Answer 57

• Centralized (central C&C server)
• Distributed (bots are client and server simultaneously)
• Hybrid: distributed clusters of centralized botnets

Question 58

Which is the most critical part of a botnet?

Answer 58

C&C channel. Single point of failure in centralized architecture. Channel is encrypted.

Question 59

How can the C&C channel of a botnet be implemented?

Answer 59

• IRC (easy to set up and manage)
• Web-based (easy to use, scalable, encryption and obfuscation for stealthiness, fault tolerant with multiple servers, easy to sell in the black market)
• P2P

Question 60

Which attacks can be executed with a botnet?

Answer 60

• DDoS
• Spamming
• Data stealing
• Click fraud

Question 61

Which attacks can be done in the World Wide Web?

Answer 61

• SQL injection
• Dictionary attacks on hashed passwords
• Rainbow tables attacks on hashed password (trade-off between memory (less) and processing (more)).

Question 62

How to protect against attacks that use rainbow tables?

Answer 62

• Salted hashes

Question 63

HTTP is stateless. How can a browser implement sessions?

Answer 63

• Hidden values

- Cookies

Question 64

In which ways can an attacker hijack a victim session?

Answer 64

• Sniffing (avoided with E2EE)

- Cross-site scripting

Question 65

Which are the three types of XSS?

Answer 65

• Reflected
• Persistent
• Local or DOM-based

Question 66

What is Cross-Site Request Forgery?

Answer 66

Attacker trigger HTTP requests via the victim’s browser.

Question 67

How to prevent CSRF?

Answer 67

• Secret validation token (token for each transaction is embed as a hidden value in the webpage and stored in the server. Client has to send it back)
• Check referer/origin (URL which initiated the request is sent in the header)

Question 68

How to avoid code injection attacks?

Answer 68

• Check user input
• Escape characters
• Blacklisting
• Whitelisting