Scenario

You are a cyber security analyst for an educational institution (e.g. university). You are to conduct tasks and perform on issues impacting the university.

Question 1. HTTP Interception

Aim

Your aim is to demonstrate the weakness of communicating in networks without encryption, in particular when web browsing. To do this, you will demonstrate how easy it is to intercept traffic in a network, and explain what information can be extracted from interception of HTTP traffic.

Complete the following phases, in order.

Phase 1: Setup

1. Add a new student user to the MyUni grading system (see NSL 16.3.6). The user must have:

• Username: [StudentID]

• Password: [FirstName]

2. Add a grade for the new student user for unit/course ‘coit20262’ with a grade of what you expect to receive this term, e.g. HD, D, C, P or F.

3. Change the domain of the MyUni website to www.[StudentID].edu by editing the /etc/hosts files.

4. Test that the existing users and new student can access the grading website.

Phase 2: Intercept HTTP Traffic

1. Start capturing on node2 using tcpdump.

2. The new student user must do the following on node1:

a. Visit the MyUni grading website, e.g.:

lynx http://www.[StudentID].edu/grades/

b. Follow the “Login” link and login

c. Follow the “View grades” link and enter their username and ‘coit20262’ to view

the course/unit grade, and submit.

d. Follow the “Logout” link.

e. Exit lynx by pressing q for quit

3. Stop capturing on node2. Note that it is important that the start of the TCP connection (i.e. 3-way handshake), as well as all HTTP requests/responses are included in the capture.

4. Save the capture file as [StudentID]-http.pcap.

Phase 3: Analysis

Answer the following sub-questions regarding the previous phases.

(a) Submit the capture file.

(b) Draw a message sequence diagram that illustrates all the HTTP messages for the new student user viewing the grades (i.e. the HTTP messages from [StudentID]- http.pcap from phase 2 above). Do not draw any packets generated by other applications or protocols, such as ARP, DNS or SSH, and do not draw TCP connection setup or ACKS. Only draw HTTP messages. A message sequence diagram uses vertical lines to represent events that happen at a computer over time (time is increasing as the line goes down). Addresses of the computers/software are given at the top of the vertical lines. Horizontal or sloped arrows are used to show messages (packets) being sent between computers. Each arrow should be labelled with the protocol, packet type and important information of the message. Examples of message sequence diagrams are given in workshops. Note that you do not need to show the packet times, and the diagram does not have to be to scale. Draw the diagram yourself (e.g. using drawing software or by hand) – do NOT use Wireshark to generate the diagram.

(c) As the attacker you can learn information from intercepting the packets. Based on the packet capture file, write a brief report on what useful information you can learn from the interception. The report, no longer than 1 page, must refer to specific values and packet numbers, as well as give a brief explanation of how the information may be useful for the attacker. For example, if you think the server port number is useful, then your report may say: “The port number used by the web server was 80, as seen in packet 13 in the capture file. The port number is useful for the attacker because …”.

(d) On the message sequence diagram from part (a), identify any messages that contain information you discussed in part (b). For example, if the first message on the message sequence diagram contains the server port number, then include the value of the port number on or next to the first message in part (a). 

Question 2. Vulnerability Assessment

Aim

Your aim is to conduct a (partial) vulnerability assessment on the educational institution. (It is only a partial assessment, rather than complete, as you will only assessment a small number of threats). You are to produce a brief report that could be presented to non-technical management (e.g. the university vice-chancellor or academic board)

Phase 1: Asset and Threat Identification

Identify three (3) different threats on assets relevant to the educational institution. These must come from the Attacks on a University database on Moodle. At least two (2) of the threats must be from you (i.e. have your name and not copied directly from others), and none (0) of the threats can be from staff (e.g. Unit Coordinator, Lecturers, Tutors). If you are not sure which entry in the database is from a student or staff, click on the link to their name. Include screenshots of each of the threats from the database in your report.

Phase 2: Vulnerability Appraisal

For each of the three (3) threats, provide a detailed explanation of a vulnerability that can lead to the threat. This should be a specific vulnerability, and refer to computer and network technologies, but still should be understandable by non-technical management.

Phase 3: Risk Assessment

For each of the three (3) threats, assign a vulnerability impact level, likelihood level and risk level, and explain why they are those vulnerability and likelihood levels. You may choose your own scale for impact and likelihood.

Phase 4: Risk Mitigation

Recommend actions to take or countermeasures for each of the three (3) threats.

Question 3. Ransomware

Aim

Your aim is to write a brief report to university staff (including management) as follow up to a ransomware attack on the university.

Phase 1: Research and Report

Your university has been infected by ransomware, affecting primarily their grading system (e.g. MyUni style grading system or Moodle Gradebook). You know that the ransomware encrypted files containing grade information using AES, and the AES secret key was encrypted and saved on the system with RSA public key encryption. The RSA public key is stored on the ransomware code (which you have access to). The university was able to restore some parts of the grading system from backup and manually enter any missing grades.

Write a report addressing the following:

a) What is ransomware? Give a short introduction/overview so that management can understand.

b) Briefly describe real ransomware that has infected other organisations recently. Indicate the name of the ransomware, the organisations(s) it impacted, and what impact it had.

c) Explain the role of the cryptographic mechanisms and why you cannot simply decrypt the files. This should be explained for a technical audience, that is, the IT staff in the university. Refer to types of algorithms used and how they are used.

d) Recommend methods the university should take in the future to avoid becoming infected.

Question 4. Encryption and Signing

Aim

Your aim is to demonstrate skills and knowledge in cryptographic operations, especially key management. You will do this in pairs (that is, with a partner student).

When performing cryptographic operations you must be very careful, as a small mistake (such as a typo) may mean the result is an insecure system. Read the instructions carefully, understand the examples, and where possible, test your approach (e.g. if you encrypt a file, test it by decrypting it and comparing the original to the decrypted). It is recommended you use virtnet to perform the operations.

Phase 1: Key Generation

1. Generate your own RSA 2048-bit public/private key pair and upload your public key to the Public Key Directory on Moodle. (If you have already done this in the tutorial, you do not need to do it again). Save your keypair as [StudentID]-keypair.pem.

2. Generate a secret key to be used with AES-256-CBC, saving it in the file [StudentID]- key.txt.

3. Generate an IV to be used with AES-256-CBC, saving it in the file [StudentID]- iv.txt. 

Phase 2: Message Creation and Signing

1. Create a message file [StudentID]-message.txt that is a plain text file containing your full name and student ID inside.

2. Digitally sign [StudentID]-message.txt using RSA and SHA256, saving the signature in the file [StudentID]-message.sgn.

Phase 3: Encryption

1. Encrypt [StudentID]-message.txt using symmetric key encryption, saving the ciphertext in the file [StudentID]-message.enc.

2. Encrypt [StudentID]-key.txt using public key encryption (RSA), saving the ciphertext in the file [StudentID]-key.enc.

3. Encrypt [StudentID]-iv.txt using public key encryption (RSA), saving the ciphertext in the file [StudentID]-iv.enc.

Phase 4: Upload to your Partner

1. To send files to your partner, you must upload them to the Encrypted Files database on Moodle. Your partner can then download from the database. 

Phase 5: Decryption and Verification

1. Download the files from your partner from the Encrypted Files database.

2. Decrypt to obtain the message, saving it in the file [StudentID]-received.txt.

3. Verify the signed message.

4. Take a single screenshot showing the OpenSSL verification command and the contents of the message. That is, the single screenshot should show the output of two commands:

openssl dgst …

cat [StudentID]-received.txt

Phase 6: File Submission

a) Submit the files on Moodle. As output from these phases you should have the following

files for submission on Moodle:

• [StudentID]-message.txt

• [StudentID]-keypair.pem

• [StudentID]-pubkey.pem

• [StudentID]-key.txt

• [StudentID]-iv.txt

• [StudentID]-message.sgn

• [StudentID]-message.enc

• [StudentID]-key.enc

• [StudentID]-iv.enc

• [StudentID]-received.txt (this will contain the message you received from your partner)

Even though the encrypted files and public keys must be available on the Moodle databases, you should also include a copy of the files in your assessment submission. Ensure the files in the database and your submission are the same – the marker may use either version. 

Phase 7: Reflection

Think about the tasks you performed in this question and write a brief reflection. You should address:

b) Which parts were most challenging or lead to mistakes, and why there were mistakes. What could be changed to make it easier and/or reduce mistakes. Consider OpenSSL as well as the method for sharing files via Moodle databases.

c) Identify potential security weaknesses in the process and/or the steps you took.