A. A fake wifi hot spot (also known as an evil twin wifi hot spot) sounds like a great way to steal passwords. Discuss the following kill chain for using a fake wi-fi hot spot. (10 marks)
Note that Kali Linux has a piece of software that does all of this more or less automatically. Sounds pretty slick, doesn’t it?
B. But what might go wrong? Discuss for example, any 3 of the following, or anything else you can think of that might go wrong. (10 marks)
Another way to steal a password is for the criminal to place a hidden camera near the victim’s PC, and record the victim as they type in their password (perhaps when they unlock it, or perhaps first thing in the morning). This works best if the victim types slowly, with only two fingers. Discuss how the criminal might do this?
Pick one type of hidden camera. It can be on the list below, but feel free to choose a hidden camera that’s not on the list.
Fixed cameras include a:
Mobile and wearable cameras include:
Your answer should cover:
1| Give the web link, or a screen shot, or similar.
2| How much does the camera cost?
3| In your answer, you might consider addressing some of these issues: (10 marks)
4| Consider the technical specs of the camera. (10 marks)
Describe your findings for 5 random 4-letter domain names.(4 marks each)
a. Go to the web site http://www.internetlivestats.com and write down how many web sites there are in the world today. (1 mark)
b. Scroll down a little, and look for how many web sites have been hacked today. How many have been hacked so far today? (1 mark)
c. Practically every 4-letter domain name in “.com” has already been registered. Make up five different random 4-letter domain names, such as (as a random example) tiyu.com ptjh.com cjqx.com and so forth.
Use the who is search to look up those random 4-letter domain names, and find out how many of them are registered. Many web sites link to who is for free, such as http://whois.com/whois or http://dnstoolkit.net/whois/
Of your 5 random 4-letter domain names:
This question is about the companies that provide public keys used in web site encryption. The key is called a “digital certificate”. Web sites with encryption start with https not http. Discuss two Public Key Providers (10 marks each).
a. Go to your favorite encrypted web site, such as a bank, or any web site which asks for a password. Click on the padlock symbol, and it will tell you the name of the company that issued the digital certificate for the web site. Alternatively, you could just pick a company from the list of recognized digital certificates for the Mozilla web browser, at: http://www.mozilla.org/projects/security/certs/included/index.html
Either way, find the name of a company that issues digital certificates for web sites. (2 mark)
b. Go to the web site of that company that issues digital certificates. Look up their contact details, and write down the company’s street address and phone number. (2 marks)
c. Browse the web site of the company that sells digital certificate. Find how much does it cost for a digital certificate for a year? (Use the cheapest choice, e.g., single-name certificate). (2 mark)
d. How does someone apply for a digital certificate from this company? Do they ask for a driver’s licence? An incorporation certificate? Or do they only ask that you generate a CSR (certificate signing request), which a web server program can make using its domain name. (2 marks)
e. In your opinion, could a criminal obtain a digital certificate from this company? Could they use it for a phishing web site like https://www.mybank.com-blahblah1234-gang.com? Why or why not? (2 marks)
Your company’s web site is sometimes broken into by hackers, with the following estimates of probabilities and costs:
· Each day there is a 0.5% chance that a script kiddie will only deface the web site, but cause no other damage. This would cost only $20,000 in lost sales.
· Each day there is a 0.3% chance that an expert hacker will delete data and steal customers’ credit card numbers, costing $200,000.
· Remember how hackers stole all the data from Ashley Madison and killed the company? We estimate that each day there is a 0.03% chance that an expert hacker will steal all the company’s data, costing $1,000,000.
The big boss wants you to advise on which of these three solutions to buy:
The big boss wants you to advise which to choose. Feel free to use a spreadsheet or calculator or whatever you find the most convenient to answer these questions:
· Calculate the annualized loss expectancy (ALE) for the three kinds of hacker attacks. What is the total annual loss expectancy? (3 marks)
· For the three possible solutions, calculate the total annualized loss expectancy (ALE) if that solution was used? (3 marks)
· Calculate the cost-benefit of the three different solutions (6 marks)
· If the boss asks, is there a large difference between the solutions (are two solutions about the same), or is there a clear winner? (2 mark)
· The Microsoft salesperson offers to reduce the price from $5,000 per year, to completely free. Would free software change your advice? (2 marks)
There are several cloud computing providers, such as:
Pick any one cloud computing provider, and go to their web site to answer these questions.
a. I’m a criminal, and want to do password hashing for my dictionary attacks. This will need 100 servers, running Linux (not Windows). How much would this cost, per month? You can round off if you want. (4 marks)
b. Is there a 1-month free trial? Can I get 100 servers for free? (2 mark)
c. Can anyone rent 100 servers? Do they check up on who I am, or can I be some criminal with an anonymous email address? (2 marks)
d. In what country are the physical servers? Or don’t they say? (2 marks)