Partha Pratim Mazumder: Network Security

1. Introduction to Information Security

1. What are four problems related to network security? Explain the meaning of each of them. [4]

2 Differentiate between passive and active attacks on a computer. [4]

3 What is malicious code? What are its different types? What differentiates one type from another? [4]

4 List and describe three preventative measures that can be taken to minimize the risk of computer virus infection, other than the use of anti-virus software. [4]

5 Differentiate between passive and active attacks on a computer. [4]

ans :-- A passive attack attempts to learn or make use of information from the system but does not affect system resources. An active attack attempts to alter system resources or affect their operation.
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are release of message contents and traffic analysis. The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of these transmissions. A second type of passive attack, traffic analysis, is subtler. Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place. Passive attacks are very difficult to detect because they do not involve any alteration of the data. Typically, the message traffic is sent and received in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern. However, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.
Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service. A masquerade takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect. Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect. For example, a message meaning "Allow John Smith to read confidential file accounts" is modified to mean "Allow Fred Brown to read confidential file accounts." The denial of service prevents or inhibits the normal use or management of communications facilities. This attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit service). Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance.
Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them. If the detection has a deterrent effect, it may also contribute to prevention.

6 What are Trojans? Give example of at least one commonly known Trojan? [6]

ANS:-- A Trojan virus is a piece of software designed to look like a useful file or software program but performs a possibly nefarious function once installed on a client computer. The virus takes its name from the “Trojan Horse” from Greek mythology setup outside of the city of Troy. Trojan horse viruses differ from other computer viruses in that they are not designed to spread themselves. Instead Trojan horse malware is either delivered as the payload of another virus or piece of malware or through manual end-user action by downloading infected files or inserting infected drives into a computer. Once a computer is infected with a Trojan virus, the malware can be designed to steal end-user information, perform destructive harm on the target computer, or even download additional computer malware. Trojan horse viruses comprised more than 80% of all computer malware detected in the world over the past year and the number continues to grow.

What are the Components of a Trojan Virus?

A Trojan virus will normally consist of a server and client component. The client component is the portion of the malware that infects the end-user’s computer. Once established or executed, the virus can be designed to establish a certain level of control over the infected computer. Based on the desired purpose of the malware author, the client Trojan can deliver additional malware components such as a key logger, spyware, or perform destructive features on the computer.

How Do Trojan Horse Viruses Spread?

Trojan viruses can infect client computers in several ways. One of the most prevalent means of infection is through email attachments. The malware developer will either use a broad email list to spam the virus to a large number of people disguised as a potentially useful attachment or even pornography. Once the user opens the file it will then infect their computer. More recently, targeted spam called spear phishing has been used to target high visibility personnel in business and in government. The same technique of spoofing someone they individuals may know or pretending to be a useful email attachment is used, just with a higher profile potential target set. Another common method used to distribute Trojan viruses is via instant messenger programs such as Skype or Yahoo Messenger. Finally, another well-known technique is to send copies of the virus to all contacts listed in the address book(s) found on the computer after infection.

What Type of Damage Can Trojan Viruses Do?

Typically a Trojan virus will be designed to provide some form of remote access to a hacker or criminal on an infected computer. Once the Trojan virus has been installed the hacker will be able to perform tasks on the computer based on the user’s account privilege level. Some of these actions could be: to steal the user’s login and password data, credit card information, or bank account data; using the computer to conduct a denial-of-service attack against another user, company, or organization; installing other software to include additional computer malware; download or upload files on the user’s computer, log keystrokes or take screen captures of sensitive websites; crash the user’s computer; and to web surf in an anonymous fashion. Hackers do not have to directly distribute Trojan viruses; however, as many of the better known malware is designed to infect a computing system and respond to remote commands from hackers who did not originally deploy the malware. The hacker can conduct a scan of computers on a target network and once finding computer’s infected with the desired Trojan virus issue follow-on commands to control the computer.

What Are the Types of Trojan Horse Viruses?

In recent years, Trojan horse viruses have significantly advanced in their complexity, methods of infection and payload. The categories currently used to define the different variants of Trojan viruses include: remote access, password sending, destructive, key loggers, password stealers (or senders), denial of service, proxy, FTP, software detection killers, and Trojan downloaders.

What Does a Remote Access Trojan Virus Do?

A remote access Trojan virus remains the most encountered Trojan in the wild. This virus will give the hacker/attacker full control over the targeted computer equivalent to the user’s permissions. Once access is gained to the computer, the hacker can then access any personal information the user has stored on their computer to include logins, passwords, credit card numbers, financial statements, and other personal information. Many times, this information can then be used to steal the individual’s identity or to apply for credit card/banking information in the person’s name.

How Does a Password Sending Trojan Virus Work?

When a computer is infected by a password sending Trojan virus, the malware will search for all cached passwords and copy those that are entered by the end-user. At preset or scheduled points the Trojan will send the collected information to a preset email or collection of email addresses. These actions are performed without the end-user’s knowledge and the Trojan is particularly dangerous for computers that are not running any type of antivirus software. All types of passwords are vulnerable to this attack to include secure websites, email services, FTP, and instant messaging programs.

How Do Key Logger Trojans Work?

Key loggers are a variant of Trojan virus that is designed to record the keystrokes on an infected computer and then send the log files to a remote server or email account. The more advanced key loggers are capable of searching for login and password data and other pre-programmed personal data in the log files to reduce the overhead of the information sent to the remote hacker. Some key loggers are able to record their information online, where the ones that are designed to send the data via email record information offline. To avoid detection, the offline recording Trojan key loggers will send information or daily or longer intervals based on the configuration set by the malware author.

What Do Destructive Trojan Viruses Do?

A destructive Trojan virus’s primary purpose is to delete or remove files on the targeted computer. They are designed to attack the computer’s core Operating System files but can also be programmed to remove data. The more sophisticated destructive Trojan viruses will be programmed to attack based on a certain date or logic requirement being met. They can be used in blackmail attempts, although this use is not widely reported (yet).

What Is a Denial of Service Attack Trojan Virus?

A denial of service (DoS) attack Trojan virus will be designed to use the infected computer as a bot to attack another web server or computer. Combined with other computers that are infected, the Internet connection for the attacked computer can become too busy to allow regular users to make use of the site. A variation of this Trojan is the Mail Bomb Trojan virus which is designed to infect as many computers as possible while sending potentially malicious emails to all addresses found on the targeted machines.

How Does a Proxy Trojan Work?

A proxy or Wingate Trojan virus is designed to make the infected computer act as a Wingate or proxy server. As a result of the infection, the targeted computer can then be used by other to surf the Internet in an anonymous fashion. This is normally used to conduct other illegal activities such as using stolen credit cards to access pornographic websites, shop online, or purchase other websites or domain names.

What is a FTP Trojan Virus?

A FTP Trojan virus is one of the most basic Trojan viruses in the wild and is one of the most outdated. The primary purpose of the malware is to open port 21 on the infected computer. Once opened, anyone can then connect to the computer using the FTP protocol. For the more advanced versions of this variant of Trojans password protection is enabled so that only the hacker can gain access to the infected machine.

What Are Software Detection Killer Trojans?

A software detection killer Trojan virus is commonly used in conjunction with other computer malware such as scareware. The purpose of this variant of Trojan virus is to disable known antivirus and computer firewall programs. Not only will they disable installed versions of known computer security software, but the Trojan will also preclude installation of new security programs that are well-known. Once they are active, other computer malware can be bundled with the Trojan in order to perform additional malicious tasks.

What is a Trojan Downloader Virus?

A Trojan downloader virus is a fairly recent development over the past several years. This version of Trojan is designed to infect a target computer in a similar manner to other Trojan viruses. The sole job that a Trojan downloader does on the infected computer is to download additional computer malware onto the infected computer. Some Trojan downloaders can also be used to grant remote access to the target machine to a remote server or individual as part of their work.

How to Remove Trojan Viruses

One of the most frustrating tasks a home computer user will have to do is recover from a Trojan virus infection. The following steps are general in nature, but intended to help the average computer user recover from a Trojan and other computer malware infection.
Step 1 – Gain access to a non-infected computer that allows you to save files to a CD-R or memory stick. Then, launch the computer’s web browser and download the RKill process killer application produced by Bleeping Computer and save to the portable drive or place in a temporary folder to burn to CD.
Step 2 – Download the free version of the Malwarebytes antimalware application. If using a portable drive, copy the install file to the drive. One thing to consider is copying two version of each file with the second version being a unique file name such as your first name or something that does not have anything to do with computer security since some Trojan viruses will prevent RKill or Malwarebytes from being installed. If burning a CD, wait to burn the CD until you have renamed the second version of each file
Step 3 – Restart the infected computer in Windows Safe Mode if the computer will allow you to do so.
Step 4 – Copy the files on the memory stick or CD onto the desktop of the infected computer.
Step 5 – Run the RKill application by double clicking either the primary or alternatively named file icon on the computer’s desktop. RKill should stop all known computer malware processes from executing on your infected computer. Note that RKill can take a few minutes to execute.
Step 6 – Once RKill finishes executing, turn off Windows System Restore on your computer. To access the System Restore properties, right click the “My Computer” icon and then select the “Properties” menu option. Select the “Turn Off System Restore” menu choice and choose the default menu prompts to complete the action.
Step 7 – Run the Malwarebytes installation file that you have already copied to the computers desktop. Note that you may need to run the renamed version of this file based on the Trojan virus that has infected the computer. Accept all default menu prompts and then run a complete antivirus scan of your computer’s drives.
Step 8 – After Malwarebytes has completed running, ensure you select the menu options to remove all infected files discovered.
Step 9 – Restart your computer after the infected files are deleted and the Trojan virus will be removed.
Step 10 – After the computer has restarted, turn Windows System Restore back on.
Step 11 – If you were not running a commercial antivirus program prior to the Trojan virus infection, consider purchasing one from Malwarebytes, Avast, AVG, Norton, or McAfee to prevent future infections.

How to Protect Your Computer from Trojan Horse Virus Infection

The best way to defend against Trojan viruses is to take countermeasure to never get your computer infected. To prevent future infections there are a number of prudent measures that you can take to minimize your risk. First, never open unsolicited email attachments contained in received mail. This is one of the most used methods by hackers to infect targeted computers. Next, do not click links that you did not solicit. An increasingly popular method by hackers is to send malicious links out in spam email vice attachments since more users are becoming educated to the threat that email attachments play. If you have not purchased antivirus software and leave it running, you are long overdue. Additionally, ensuring that you run regular updates for your computer’s operating system, installed programs, and leaving the default firewall turned on is another must in today’s threat environment.

Emerging Trends with Trojan Horse Viruses

One of the emerging trends with Trojan viruses is the bundling of Trojans with computer scareware. Scareware is designed as a payload of Trojans or Trojan downloaders. Once installed on the target computer it will disable the computer’s antivirus software (if installed), and then proceed to display fake infection warnings to the user. When the warnings are selected, a fake virus scan will be conducted that then entices the user to pay money to download the commercial version of the scareware. If/when they do, the credit card information is then used for nefarious means, money charged, and additional computer malware is downloaded onto the computer. The number of scareware packages numbers in excess of 15,000 and has seen a greater than 500% increase in the past three years. Some scareware will even go as far as to mimic the look and feel of known computer virus programs. Users must use their best judgment in detecting scareware and be leery of any application that tries to charge you money to do its job!

7 Differentiate between worms and viruses. [6]

8 What is the difference between passive and active attacks with respect to security threats faced in using the web. [6]

9 How is a virus different from a worm? What are the various types of viruses? [8]

Ans :-- What is the Difference Between Virus and Worm ?

A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any human action. A worm takes advantage of file or information transport features on your system, which is what allows it to travel unaided.

The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line.

Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In recent worm attacks such as the much-talked-about Blaster Worm, the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.

What is a virus?
A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:

It must execute itself. It often places its own code in the path of execution of another program.
It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.

Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss

What is a worm?
Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm W32.Mydoom.AX@mm is an example of a worm

A virus is a program that is designed to spread from file to file on a single pc, it does not intentionally try to move to another pc, and it must replicate, and execute itself to be defined as a virus.

A worm is designed to copy itself (intentionally move) from pc to pc, via networks, internet etc.

A worm doesnt need a host file to move from system to system, whereas a virus does.

So worms spread more rapidly then viruses.

The word 'Virus' has become a common term a lot of people use to refer to worms and trojans too. Which is not exactly correct.

A worm is a type of virus that has an important and specific feature; it does not depend upon any form of human intervention to propagate. Since it can replicate and infect by itself, it is by far the most virulent type of virus, and can infect many millions of computers globally in a matter of hours. A standard virus will depend on some form of human intervention to propagate, whether this is opening an email attachment, clicking a malicious link, or transferring an infected disk from one machine to another.
To answer the question as to which is more 'harmful' is difficult, since this depends on the specific 'payload' or malicious function of the virus, worm or trojan. But in terms of rate of infection, the worm is by far the most potent.

A Virus is a program that piggy-backs on other programs. It can be attached to a Word or Excel file. Each time the file is run, the virus runs too. It attaches itself to other programs and continues to reproduce.A Worm uses computer networks to replicate itself. It searches for servers with security holes and copies itself there. It then begins the search and replication process again.

Different Types of Computer Viruses

There are different types of computer viruses which can be classified according to their origin, techniques, types of files they infect, where they hide, the kind of damage they cause, the type of operating system or platform they attack etc. Let us have a look at few of them.

Resident Virus
This type of virus is a permanent as it dwells in the RAM. From there it can overcome and interrupt all the operations executed by the system. It can corrupt files and programs that are opened, closed, copied, renamed etc.

Examples: Randex, CMJ, Meve, and MrKlunky.

Direct Action Viruses
The main purpose of this virus is to replicate and take action when it is executed. When a specific condition is met, the virus will go into action and infect files in the directory or folder that it is in as well as directories that are specified in the AUTOEXEC.BAT file path. This batch file is always located in the root directory of the hard disk and carries out certain operations when the computer is booted.

Examples: Vienna virus.

Overwrite Viruses
Virus of this kind is characterized by the fact that it deletes the information contained in the files that it infects, rendering them partially or totally useless once they have been infected. The only way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the original content.

Examples: Way, Trj.Reboot, Trivial.88.D.

Boot Sector Virus
This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk, in which information of the disk itself is stored along with a program that makes it possible to boot (start) the computer from the disk. The best way of avoiding boot sector viruses is to ensure that floppy disks are write-protected and never starting your computer with an unknown floppy disk in the disk drive.

Examples: Polyboot.B, AntiEXE.

Macro Virus
Macro viruses infect files that are created using certain applications or programs that contain macros. These mini-programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one.

Examples: Relax, Melissa.A, Bablas, O97M/Y2K.

Directory Virus
Directory viruses change the path that indicate the location of a file. When you execute a program file with an extension .EXE or .COM that has been infected by a virus, you are unknowingly running the virus program, while the original file and program is previously moved by the virus. Once infected it becomes impossible to locate the original files.

Examples: Dir-2 virus.

Polymorphic Virus
Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms and encryption keys) every time they infect a system. This makes it impossible for anti-viruses to find them using string or signature searches (because they are different in each encryption). The virus then goes on creating a large number of copies.

Examples: Elkern, Marburg, Satan Bug and Tuareg.

File Infector Virus
This type of virus infects programs or executable files (files with .EXE or .COM extension). When one of these programs is run, directly or indirectly, the virus is activated, producing the damaging effects it is programmed to carry out. The majority of existing viruses belong to this category, and can be classified depending on the actions that they carry out.

Examples: Cleevix and Cascade.

Companion Viruses
Companion viruses can be considered as a type of file infector viruses like resident or direct action types. They are known as companion viruses because once they get into the system they 'accompany' the other files that already exist. In other words, in order to carry out their infection routines, companion viruses can wait in memory until a program is run (resident virus) or act immediately by making copies of themselves (direct action virus).

Some examples include: Stator, Asimov.1539 and Terrax.1069

FAT Virus
The file allocation table or FAT is the part of a disk used to store all the information about the location of files, available space, unusable space etc. FAT virus attacks the FAT section and may damage crucial information. It can be especially dangerous as it prevents access to certain sections of the disk where important files are stored. Damage caused can result in information losses from individual files or even entire directories.

Examples:

Multipartite Virus
These viruses spread in multiple ways possible. It may vary in its action depending upon the operating system installed and the presence of certain files.

Examples: Invader, Flip and Tequila

Web Scripting Virus
Many web pages include complex code in order to create an interesting and interactive content. This code is often exploited to bring about certain undesirable actions.

Worms
A worm is a program very similar to a virus; it has the ability to self-replicate and can lead to negative effects on your system. But they can be detected and eliminated by anti-viruses.

Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson.

Trojans or Trojan Horses
Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses do not reproduce by infecting other files, nor do they self-replicate like worms. In fact, it is program which disguises itself as a useful program or application.

Logic Bombs
They are not considered viruses because they do not replicate. They are not even programs in their own right but rather camouflaged segments of other programs. They are only executed when a certain predefined condition is met. Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched and the results can be destructive.

Besides, there are many other computer viruses that have a potential to infect your digital data. Hence, it is a must that you protect your data by installing a genuine quality anti-virus software.
.

10 What is Trojan Horse? Explain some functions of the Trojan. Also suggest any three ways to detect Trojan. [7]

11 Briefly explain confidentiality, Integrity and Availability with respect to information security. [4]

12 Confidentiality, Integrity and Availability form the core principles of information security. Briefly explain each of them. [4]

13 Define the terms: Logic Bomb, Trojan Horse [2]

14 What are worms and when does it execute? [6]

15 Write short notes on any three of the following:

b) ICANN [6]

ans :-- The Internet Corporation for Assigned Names and Numbers (ICANN, is a non-profit corporation headquartered in Marina del Rey, California, United States, that was created on September 18, 1998, and incorporated on September 30, 1998^[1] to oversee a number of Internet-related tasks previously performed directly on behalf of the U.S. government by other organizations, notably the Internet Assigned Numbers Authority (IANA), which ICANN now operates.
ICANN is responsible for the coordination of the global Internet's systems of unique identifiers and, in particular, ensuring its stable and secure operation.^[2] This work includes coordination of the Internet Protocol address spaces (IPv4 and IPv6) and assignment of address blocks to regional Internet registries, for maintaining registries of Internet protocol identifiers, and for the management of the top-level domain name space (DNS root zone), which includes the operation of root nameservers. Most visibly, much of its work has concerned the DNS policy development for internationalization of the DNS system and introduction of new generic top-level domains (TLDs). The actual technical maintenance work of maintenance of the central Internet address pools and DNS root registries ICANN performs pursuant to the "IANA function" contract.
ICANN's primary principles of operation have been described as helping preserve the operational stability of the Internet; to promote competition; to achieve broad representation of the global Internet community; and to develop policies appropriate to its mission through bottom-up, consensus-based processes.
On September 29, 2006, ICANN signed a new agreement with the United States Department of Commerce (DOC) that moves the private organization towards full management of the Internet's system of centrally coordinated identifiers through the multi-stakeholder model of consultation that ICANN represents.
Before the establishment of ICANN, the Government of the United States controlled the domain name system of the Internet.
The original mandate for ICANN came from the United States government, spanning the presidential administrations of both Bill Clinton and George W. Bush. On January 30, 1998, the National Telecommunications and Information Administration (NTIA), an agency of the U.S. Department of Commerce, issued for comment, "A Proposal to Improve the Technical Management of Internet Names and Addresses." The proposed rule making, or "Green Paper", was published in the Federal Register on February 20, 1998, providing opportunity for public comment. NTIA received more than 650 comments as of March 23, 1998, when the comment period closed.
The Green Paper proposed certain actions designed to privatize the management of Internet names and addresses in a manner that allows for the development of robust competition and facilitates global participation in Internet management. The Green Paper proposed for discussion a variety of issues relating to DNS management including private sector creation of a new not-for-profit corporation (the "new corporation") managed by a globally and functionally representative Board of Directors.^{[citation needed]} ICANN was formed in response to this policy.^{[citation needed]} The IANA function currently exists under an agreement with the U.S. Department of Commerce.
ICANN was incorporated in California on September 30, 1998.^[1] It is qualified to do business in the District of Columbia.^[6] ICANN was established in California due to the presence of Jon Postel, who was a founder of ICANN and was set to be its first CTO prior to his unexpected death. ICANN remains in the same building where he worked, which is home to an office of the Information Sciences Institute at the University of Southern California.
On July 26, 2006, the United States government renewed the contract with ICANN for performance of the IANA function for an additional one to five years.^[7] The context of ICANN's relationship with the U.S. government was clarified on September 29, 2006 when ICANN signed a new Memorandum of Understanding with the United States Department of Commerce (DOC).
In July 2008, the U.S. Department of Commerce reiterated an earlier statement^[8] that it has "no plans to transition management of the authoritative root zone file to ICANN". The letter also stresses the separate roles of the IANA and VeriSign.^[9]

Structure

At present, ICANN is formally organized as a non-profit corporation "for charitable and public purposes" under the California Nonprofit Public Benefit Corporation Law. It is managed by a 16-member Board of Directors, which is composed of eight members selected by a Nominating Committee on which all the constituencies of ICANN are represented; six representatives of its Supporting Organizations, sub-groups that deal with specific sections of the policies under ICANN's purview; an At-Large seat filled by an At-Large Organization; and the President / CEO, appointed by the Board.
There are currently three Supporting Organizations. The Generic Names Supporting Organization (GNSO) deals with policy making on generic top-level domains (gTLDs). The Country Code Names Supporting Organization (ccNSO) deals with policy making on country-code top-level domains (ccTLDs). The Address Supporting Organization (ASO) deals with policy making on IP addresses.
ICANN also relies on some advisory committees to receive advice on the interests and needs of stakeholders that do not directly participate in the Supporting Organizations. These include the Governmental Advisory Committee (GAC), which is composed of representatives of a large number of national governments from all over the world; the At-Large Advisory Committee (ALAC), which is composed of representatives of organizations of individual Internet users from around the world; the Root Server System Advisory Committee, which provides advice on the operation of the DNS root server system; the Security and Stability Advisory Committee (SSAC), which is composed of Internet experts who study security issues pertaining to ICANN's mandate; and the Technical Liaison Group (TLG), which is composed of representatives of other international technical organizations that focus, at least in part, on the Internet.

Democratic input

In the Memorandum of Understanding that set up the relationship between ICANN and the U.S. government, ICANN was given a mandate requiring that it operate "in a bottom up, consensus driven, democratic manner." However, the attempts that ICANN have made to set up an organizational structure that would allow wide input from the global Internet community did not produce results amenable to the current Board. As a result, the At-Large constituency and direct election of board members by the global Internet community were soon abandoned.^[10]
ICANN holds periodic public meetings rotated between continents for the purpose of encouraging global participation in its processes. Critics^[who?] argue that these public meetings are often held in countries with lower Internet usage and far away from locations that the majority of the Internet-using public can afford to reach.^{[citation needed]} This makes public input or participation from traditional Internet users less likely. Supporters^[who?] reply that ICANN has a worldwide presence, and a key part of its mission is to build Internet use where it is weak.
Resolutions of the ICANN Board, preliminary reports, and minutes of the meetings, are published on the ICANN website, sometimes in real time. However there are criticisms from ICANN constituencies including the Noncommercial Users Constituency (NCUC) and the At-Large Advisory Committee (ALAC) that there is not enough public disclosure and that too many discussions and decisions take place out of sight of the public.
In the early 2000s, there had been speculation that the United Nations might signal a takeover of ICANN,^[11] followed by a negative reaction from the US government^[8] and worries about a division of the Internet^[12] the World Summit on the Information Society in Tunisia in November 2005 agreed not to get involved in the day-to-day and technical operations of ICANN. However it also agreed to set up an international Internet Governance Forum, with a consultative role on the future governance of the Internet. ICANN's Government Advisory Committee is currently set up to provide advice to ICANN regarding public policy issues and has participation by many of the world's governments.
It is argued^{[by whom?]} that ICANN was never given the authority to decide policy, e.g., choose new TLDs or shut out other interested parties who refuse to pay ICANN's US$185,000 fee, but was to be a technical caretaker. Critics^[who?] suggest that ICANN should not be allowed to impose business rules on market participants, and that all TLDs should be added on a first-come-first-served basis and the market should be the arbiter of who succeeds and who does not.
A member of the European Parliament, William Newton-Dunn, has recently been addressing questions to the European Commission, which asks whether ICANN is engaging in restraint of European free trade laws by imposing restrictions on who can operate a TLD and sell domain names. Some restrictions are considered insurmountable by many small business owners and individuals, such as the perhaps partially refundable $185,000 application fee.

16. Cracking Methods [6]

ans :-- Most people understand that good password security is the first and most effective strategy for protecting sensitive systems and data, yet systems are regularly compromised via breached user accounts.
It is fairly common knowledge that one should use strong passwords that are not easily "guessed" - such as by employing passwords that are 12 to 16 characters in length that use both upper and lower case letters, and which include non-alphanumeric characters.
But sophisticated hackers are not always simply attempting to "guess" passwords based on information lifted from social networks and the like, but instead are using various methods to undermine what most would think to be a secure password choice.
PC Pro's Davey Winder posted a nice little writeup on the the top ten methods hackers use to crack passwords
Winder's top ten and a brief excerpt of the technique are as follows:
1. Dictionary attack

"This uses a simple file containing words that can, surprise surprise, be found in a dictionary. In other words, if you will excuse the pun, this attack uses exactly the kind of words that many people use as their password..."
2. Brute force attack

"This method is similar to the dictionary attack but with the added bonus, for the hacker, of being able to detect non-dictionary words by working through all possible alpha-numeric combinations from aaa1 to zzz10..."

3. Rainbow table attack

"A rainbow table is a list of pre-computed hashes - the numerical value of an encrypted password, used by most systems today - and that’s the hashes of all possible password combinations for any given hashing algorithm mind. The time it takes to crack a password using a rainbow table is reduced to the time it takes to look it up in the list..."

4. Phishing

"There's an easy way to hack: ask the user for his or her password. A phishing email leads the unsuspecting reader to a faked online banking, payment or other site in order to login and put right some terrible problem with their security..."

5. Social engineering

"A favourite of the social engineer is to telephone an office posing as an IT security tech guy and simply ask for the network access password. You’d be amazed how often this works..."

6. Malware

"A key logger or screen scraper can be installed by malware which records everything you type or takes screen shots during a login process, and then forwards a copy of this file to hacker central..."

7. Offline cracking

"Often the target in question has been compromised via an hack on a third party, which then provides access to the system servers and those all-important user password hash files. The password cracker can then take as long as they need to try and crack the code without alerting the target system or individual user..."

8. Shoulder surfing

"The service personnel ‘uniform’ provides a kind of free pass to wander around unhindered, and make note of passwords being entered by genuine members of staff. It also provides an excellent opportunity to eyeball all those post-it notes stuck to the front of LCD screens with logins scribbled upon them..."

9. Spidering

"Savvy hackers have realised that many corporate passwords are made up of words that are connected to the business itself. Studying corporate literature, website sales material and even the websites of competitors and listed customers can provide the ammunition to build a custom word list to use in a brute force attack..."

10. Guess

"The password crackers best friend, of course, is the predictability of the user. Unless a truly random password has been created using software dedicated to the task, a user generated ‘random’ password is unlikely to be anything of the sort..."

17 What are the key principles of information security? [4]

ANS:-- Key Information Security Concepts & Principles

Confidentiality:--Confidentiality is the principle that information and information systems are only available to authorized users, that that they are only used for authorized purposes, and they are only accessed in an authorized manner. Confidentiality also determines information disclosure authority and conditions; unauthorized disclosure or use of confidential information could be harmful or prejudicial. The ‘official’ definition of confidentiality is: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Integrity:--Integrity is the principle that safeguards reliability, accuracy, and completeness of information assets. Integrity safeguards ensure modifications are not made by unauthorized users and that unauthorized modifications are not made by authorized users. Integrity controls also ensure information is current and has not been altered or damaged. The ‘official’ definition of integrity is: Guarding against improper information modification or destruction, including ensuring information non–repudiation and authenticity.

Availability:--Availability is the principle that means that information assets are available and usable by authorized users when and where they need them. It is primarily used in the context of system availability. The ‘official’ definition of availability is: Ensuring timely and reliable access to and use of information.
Identification:--Identification is the means by which a user claims their identity to a system—who is the user? The most common example is the UserID. This identification entity is commonly used for access control; identification is necessary for authentication and authorization
Authentication:--Authentication is the testing or reconciliation of evidence of users’ identities. It establishes the user’s identity and ensures that the user proves he, she, or it is who they claim they are. The most common example of an authentication entity is a password. Single factor authentication (requiring a single challenge to validate identity) is commonly used for routine access control; multifactor authentication should be considered for sensitive or critical assets.
Authorization:---Authorization is the granting of rights and permissions to an individual (or process) that enables access to an information resource. Once a user’s identity and authentication are established, authorization levels determine the extent of system rights that an operator can hold. Examples of authorization entities are access control lists and security classes.
Accountability:--Accountability refers to a system’s capability to determine and track the actions and behaviors of a single individual within a system, and to identify that particular individual; accountability is also sometimes referred to as non-repudiation. Audit trails and system logs support accountability.
Privacy :--Privacy relates to the level of confidentiality and control granted to the user or individual subject of the information within a system. Privacy measures protect an individual’s ability to determine what information is collected about them, who can access the information, how it may be used, and how it may be maintained. Loosely, privacy is to individual information (personal) what confidentiality is to corporate information (trade secret).

18 Describe Proxy/Wingate Trojans? [4]

19 Write short notes on any three of the following:

d) Back Door [6]

ANS :-- A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice) or may subvert the system through a rootkit.

Overview

The threat of backdoors surfaced when multiuser and networked operating systems became widely adopted. Petersen and Turn discussed computer subversion in a paper published in the proceedings of the 1967 AFIPS Conference.^[1] They noted a class of active infiltration attacks that use "trapdoor" entry points into the system to bypass security facilities and permit direct access to data. The use of the word trapdoor here clearly coincides with more recent definitions of a backdoor. However, since the advent of public key cryptography the term trapdoor has acquired a different meaning. More generally, such security breaches were discussed at length in a RAND Corporation task force report published under ARPA sponsorship by J.P. Anderson and D.J. Edwards in 1970.^[2]
A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system. A famous example of this sort of backdoor was used as a plot device in the 1983 film WarGames, in which the architect of the "WOPR" computer system had inserted a hardcoded password (his dead son's name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game–like simulation mode and direct interaction with the artificial intelligence).
An attempt to plant a backdoor in the Linux kernel, exposed in November 2003, showed how subtle such a code change can be.^[3] In this case, a two-line change appeared to be a typographical error, but actually gave the caller to the sys_wait4 function root access to the system.^[4]
Although the number of backdoors in systems using proprietary software (software whose source code is not publicly available) is not widely credited, they are nevertheless frequently exposed. Programmers have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if not actual permission.
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).
Many computer worms, such as Sobig and Mydoom (and the covert Skynet), install a backdoor on the affected computer (generally a PC on broadband running insecure versions of Microsoft Windows and Microsoft Outlook). Such backdoors appear to be installed so that spammers can send junk e-mail from the infected machines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are intended as DRM measures — and, in that case, as data gathering agents, since both surreptitious programs they installed routinely contacted central servers.
A traditional backdoor is a symmetric backdoor: anyone that finds the backdoor can in turn use it. The notion of an asymmetric backdoor was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto '96. An asymmetric backdoor can only be used by the attacker who plants it, even if the full implementation of the backdoor becomes public (e.g., via publishing, being discovered and disclosed by reverse engineering, etc.). Also, it is computationally intractable to detect the presence of an asymmetric backdoor under black-box queries. This class of attacks have been termed kleptography; they can be carried out in software, hardware (for example, smartcards), or a combination of the two. The theory of asymmetric backdoors is part of a larger field now called cryptovirology.
There exists an experimental asymmetric backdoor in RSA key generation. This OpenSSL RSA backdoor was designed by Young and Yung, utilizes a twisted pair of elliptic curves, and has been made available.

Reflections on Trusting Trust

Ken Thompson's Reflections on Trusting Trust^[5] was the first major paper to describe black box backdoor issues, and points out that trust is relative. It described a very clever backdoor mechanism based upon the fact that people only review source (human-written) code, and not compiled machine code. A program called a compiler is used to create the second from the first, and the compiler is usually trusted to do an honest job.
Thompson's paper described a modified version of the Unix C compiler that would:

Put an invisible backdoor in the Unix login command when it noticed that the login program was being compiled, and as a twist
Also add this feature undetectably to future compiler versions upon their compilation as well.

Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept implementation, the subverted compiler also subverted the analysis program (the disassembler), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was, officially, never released into the wild. It is believed, however, that a version was distributed to BBN and at least one use of the backdoor was recorded.^[6]
This attack was recently (August 2009) discovered by Sophos labs: The W32/Induc-A virus infected the program compiler for Delphi, a Windows programming language. The virus introduced its own code to the compilation of new Delphi programs, allowing it to infect and propagate to many systems, without the knowledge of the software programmer. An attack that propagates by building its own Trojan horse can be especially hard to discover. It is believed that the Induc-A virus had been propagating for at least a year before it was discovered.^[7]
Once a system has been compromised with a backdoor or Trojan horse, such as the Trusting Trust compiler, it is very hard for the "rightful" user to regain control of the system. However, several practical weaknesses in the Trusting Trust scheme have been suggested. For example, a sufficiently motivated user could painstakingly review the machine code of the untrusted compiler before using it. As mentioned above, there are ways to hide the Trojan horse, such as subverting the disassembler; but there are ways to counter that defense, too, such as writing your own disassembler from scratch, so the infected compiler won't recognize it. However, such proposals are generally impractical. If a user had a serious concern that the compiler was compromised, they would be better off avoiding using it altogether rather than reviewing the binary in detail using only tools that have been verified to be untainted. A user that did not have serious concerns that the compiler was compromised could not be practically expected to undertake the vast amount of work required.
David A. Wheeler has proposed a counter to this attack using an approach he calls "diverse double-compiling", which uses techniques adapted from compiler bootstrapping. This involves re-compiling the source of the compiler through another independently-written and generated "trusted" compiler, and then using the binary generated from this to recompile the original compiler again, and then comparing the binary generated from this second compilation with that generated from using the original compiler to recompile itself directly.

Saturday 14 January 2012

Network Security