ICT287 Computer Security Assignment 1 – V2.3 Last Updated 17/05/2017 Murdoch University ICT287 Computer Security Due Date: Friday 30 June 2017, 23:55 Assignment Information You should submit your assignment online using the Assignment submission on LMS. Late submissions will be penalised at the rate of 10% of marks per day late or part thereof. You should submit your assignment as ONE word-processed document containing all of the required question answers. Allowed formats are either PDF or MS Word. You must keep a copy of the final version of your assignment as submitted and be prepared to provide it on request. The University treats plagiarism, collusion, theft of other students’ work and other forms of academic misconduct in assessment seriously. This is an INDIVIDUAL assignment. Any instances of academic misconduct in this assessment will be forwarded immediately to the Faculty Dean. For guidelines on academic misconduct in assessment including avoiding plagiarism, see: http://www.murdoch.edu.au/teach/plagiarism Planet of the grapes Planet of the Grapes, a local wine and spirit merchant currently operates in three stores around Perth. Stores are independent from one another and there is no data sharing between stores, although this is not by design but simply a by-product of faster than expected expansion. The organisation is now moving into the online arena and has contracted your computer consulting company to perform a variety of audits on their computer network. The owners have never employed any IT security staff in the past and have preferred to set up systems for themselves. However, it has become apparent that the risks of moving business systems online are not to be ignored. For this reason you are being asked to make recommendations on a variety of specific systems. These recommendations should be presented in a format suitable for a general technical audience – i.e. someone who is proficient in IT in general, but may not be a security expert. Furthermore, the report will also be read by upper management who may have less IT skill overall. There are three distinct tasks being requested in this phase of the audit. Each of these should be answered separately.ICT287 Computer Security Assignment 1 – V2.3 Last Updated 17/05/2017 Question 1: Attack Surface Modelling (40 marks) The site being audited has a total of 10 full time staff and an unspecified number of casual staff. The back-office duties are only undertaken by full time staff, although the staff common areas and offices are not locked or physically separated. Full time staffers handle payroll, HR and scheduling tasks. The front counter/cashier duties are sometimes taken on by full timers but also by casual staff. We have been informed that the turnover of casual staff is quite large, although the reasons for this are unknown. The computer systems in the back office are all networked via a Cisco small business series router supplied by Telstra, ADSL services are also provided by Telstra. To permit the owner(s) to check on files from home, remote access services are enabled on some but not all of the machines. There is no centralized server or authentication mechanism and users logon locally to these machines. The machines are running Windows XP SP2 and all contain two local user accounts “admin” and “user”. These accounts are shared by staff to ensure that files are always accessible to fellow staff. An image of one of these machines has been supplied to you in VM form. You can obtain the VM from: http://www.it.murdoch.edu.au/szander/ICT287/assignment1/form.php You will require your student number to download the VM. You should download your own specific VM and not copy from a friend as there are multiple different VMs for different people. NOTE: When you first launch the VM it may give an error as the network hardware might be different on your PC. Simply change the settings to match your own machine and it will boot as per normal. Your first task is to assess the attack surface of this machine. The scope of your analysis is limited to (1) network level attacks and (2) physical attacks. You do not need to logon to the machine and analyse the individual software packages that have been installed; simply identifying any vulnerable services from a network level is sufficient. Write a short report to the business manager outlining possible weaknesses and vulnerabilities in these systems. The report should start with a 1 page memo that summarises the issues and is understandable by a layperson. The following few pages should describe the technical details. Your report should include an overview of the potential vulnerable services and of the physical attack points, reference specific CVE items (with brief explanations) and a prioritization of the most important issues. A fully exhaustive list of CVEs is not required (there are too many), but you should at least discuss the most critical dozen or so and these must be relevant to the actual system and services.ICT287 Computer Security Assignment 1 – V2.3 Last Updated 17/05/2017 Question 2: Legacy code (30 marks) For phase two of this audit you gain access to the machine. You may use any of the vulnerabilities you discovered in Question 1 to gain this access. You must gain a command prompt on the target machine and document the steps you took and evidence that you have obtained this access. This is a trivially simple task, so do not spend too long on this. As you begin to audit the files, you notice that the hard drive contains some credit card validation software. Your testing shows that this program is vulnerable to a critical and yet common type of software security vulnerability. When you inquire about this software you learn that this cannot be patched as the code is part of a suite of utilities supplied by the financial provider and does not belong to the organisation. Discuss the type of vulnerability briefly. Discuss the specific vulnerability and show how it theoretically may be exploited. Given that it is not possible to patch or amend the code and that it must remain in use, make several recommendations to reduce the risk this application poses. Question 3: Known weakness (30 marks) While finishing up your analysis for the legacy code you notice a saved Email containing a quote that the administrator has saved about the new web systems being set up for the online store. You notice that the Email mentions that a particular hashing algorithm is to be used for digital signatures but your experience tells you that this isn’t the best approach. Write a 1 page report explaining possible vulnerabilities caused by signing certificates with their chosen hash and how these could be exploited. You should include authoritative references about the weaknesses. You should also provide recommendations on how to mitigate the vulnerabilities for general systems as well as for the specific platform being used.