CMPSCI 177 Homework 1 Solutions 35 points total Part I 1. (2 points) a. John copies Marys homework. - Confidentiality b.

Paul crashes Lindas system. - Availability c. Carol changes the amount of Angelos check from $100 to $1000. - Data Integrity d. Gina forges Rogers signature on a deed. - Origin Integrity e. Rhonda registers the domain name AddisonWesley.com and refuses to let the publishing house buy or use that domain name. - Availability f. Jonah obtains Peters credit card number and has the credit card company cancel the card and replace it with another card bearing a different account number. - Confidentiality - Integrity - Availability g. Henry spoofs Julies IP address to gain access to her computer. - Integrity 5. (2 points) Disclosure Confidentiality will not allow unauthorized access to information Disruption Availability prevents interruption or prevention of correct operation Deception Data integrity and origin integrity will prevent acceptance of false data Usurpation The combination of integrity, confidentiality and availability prevent unauthorized control of some part of a system 11. (2 points) How do laws protecting privacy impact the ability of system administrators to monitor user activity? System administrators need to read/access users' data in order to monitor activity. Laws protecting privacy hinder system administrators ability to monitor a

system because accessing user data is essential to monitoring. 18. (2 points) Companies usually restrict the use of electronic mail to company business but do allow minimal use for personal reasons. a. How might a company detect excessive personal use of electronic mail, other than by reading it?: (Hint: Think about the personal use of a company telephone.) Monitor the number of emails to email addresses not related to the business, or another metadata based approach. b. Intuitively, it seems reasonable to ban all personal use of electronic mail on company computers. Explain why most companies do not do this. It is better to have users using their company email for personal use than have a policy so strict it encourages dangerous violations of security policy. For example, strict web filtering can result in the creation of hidden, private proxies for web traffic. These could be used for undetectable data exfiltration. As a sysadmin, you dont want your policies to lead to users keeping secrets from you. 21. (2 points) I think my decision would have been dependant on much more information, but with just this information provided my sentence would be much less than that. I think it is very important to know the following information for the judge to make the right decision: a. programmer's intention (was it an accident?) b. how much damage did it cause? how many computers were infected? how important were the computers? how much money was lost due to attack? c. were there any accomplices d. what effect will the sentence have on community of hackers? I think that the following reasons were there behind the judgment: a. It did not delete any file and therefore integrity was not compromised. b. He was a graduate student, not a criminal. c. It was claimed as accident. With the amount of information, I would have made the same decision, but I would have needed some more information to make the judgment. a. Did he inform any security organizations about the vulnerability?

b. It did not affect integrity, but it does not say whether it compromised confidentiality or availability. In either case, it is a punishable offense. Part II 1. (4 points) Your task is to nd out the details of the Duqu worm. In particular, what type of vulnerability (i.e., what feature, etc. failed) is it? Also, what applications were affected? A flaw in Windows XP SP3 and newer could allow remote code execution if a user opens a specially crafted Microsoft Word document or visits a malicious Web page that embeds TrueType font files. The creators of Duqu used stolen hardware manufacturer certificates to sign their malicious drivers. Duqu spread via network shares, and exhibits worm-type behavior by mailing itself as a malicious word document email attachment to contacts from the infected persons mail program. 2. (2 points) Is there a patch for this vulnerability? If yes, who generated the patch? Does it x all occurrences of the vulnerability identied in question 1, above? If no, why not? Yes, Microsofts MS11-087 addresses the TrueType Font Parsing Vulnerability recorded as CVE-2011-3402, and fixes all occurrences of the vulnerability for all affected Windows operating systems. 3. (2 points) What is a "zero-day exploit"? Did the Duqu worm contain a zero-day exploit? If yes, how many? A zero-day exploit is a previously unseen exploit. Since the security holes are unknown, patches are not available when the attack begins. This allows malware using zero-day exploits to spread rapidly. Duqu contained at least one zero day, the TrueType Font Parsing Vulnerability. Part III 1. (7 points) a. CVE-2011-3402 b. Assigned (20110909) c. No

d. e. f. g.

CVE-2012-0001 released 01/10/2012 or CVE-2011-3657 released 01/02/2012 Windows XP and newer, or Bugzilla Assigned (20111109), or Assigned (20110923) Must be reviewed and accepted by the CVE Editorial Board before it can be updated to official "Entry" status on the CVE List

2. (4 points) a. CVE-2011-3402 b. Severity 9.3 c. 1/04/2011 d. 454 vulnerabilities, 10.94% of the total I visited http://web.nvd.nist.gov/view/vuln/statistics and searched for Software Flaws with vulnerability type XSS, published between January 2011 and December 2011. 3. (4 points) a. Yes, the Industrial Control Systems response team published six Duqu related alerts and updates, titled ICS-ALERT-11-291-01 W32.Duqu: An InformationGathering Malware". They also published a vulnerability note for the TrueType parsing problem. b. Vulnerability Note VU#316553 c. US-CERT is a US government (Department of Homeland Security) group that coordinates cyber security response among government, industry, and academic groups. The CERT coordination center at CMU was launched by DARPA in 1988, and actually predates US-CERT. When US-CERT was created, CERT/CC jcontributed expertise. Through USCERT, DHS and the CERT/CC work jointly. http://www.cert.org/faq/cert_faq.html#A2 d. Carnegie Mellon University, in Pittsburgh, Pennsylvania. 4. (2 points) a. http://www.securityfocus.com/bid/50462 Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability Hint: Search by CVE or use google with site:securityfocus.com b. Bugtraq practices full disclosure of vulnerabilities, providing all known details including providing exploit code for download when available.