A fake wifi hot spot (also known as an evil twin wifi hot spot) sounds like a great way to steal passwords
Problem 1 (20 Marks)
A. A fake wifi hot spot (also known as an evil twin wifi hot spot) sounds like a great way to steal passwords. Discuss the following kill chain for using a fake wi-fi hot spot. (10 marks)
- Criminal goes to the victim’s workplace, and get the name and ID number of their work wifi.
- The criminal sets up a wifi hot spot with the same name and ID number. They also set up some fake web pages of popular bank web sites, and the victim’s work email web site.
- Then the criminal drives past the victim (or sits near them in the coffee shop), so that the victim’s phone or laptop detects the fake wifi hot spot, and auto-connects to it.
- The victim’s downloads are now going through the criminal’s laptop. In particular, the criminal can give a fake DNS answer.
- If the victim tries to connect to a web site (e.g., email, bank, anything web-based), the criminal can do a DNS redirect to a fake version of that website.
- If the victim types in their password on the fake web site, the criminal can collect it.
Note that Kali Linux has a piece of software that does all of this more or less automatically. Sounds pretty slick, doesn’t it?
B. But what might go wrong? Discuss for example, any 3 of the following, or anything else you can think of that might go wrong. (10 marks)
- Geo-fencing: if the victim was smart, they would disable the auto-connect to their work wifi hotspot when they are not at work. But few victims think of this.
- Did the criminal remember to change the MAC address of their laptop, which is providing the fake wifi hot spot? The victim’s phone will record the MAC address of the hot spot, and if it’s the criminal’s real MAC address, the police might use that to find the criminal.
- After the criminal has stolen the password, the victim might get suspicious, and tell the bank. The bank’s usual approach is to leave the password working on a fake account, and wait for the criminal to try and log in, and perhaps catch the criminal from their IP address.
- You might be thinking of using a VPN to log in to the bank with the stolen password? How many VPNs keep log files and other records, which can be seized by police?
- A weakness to this approach is that the criminal has to get within wifi range of the victim. If the criminal is known to the victim, they might see the criminal and recognize them.
- Similarly, public areas have a lot of surveillance cameras. If the criminal is near the victim, and the victim works out when and where they typed in the password to the fake web page, police might go through nearby video cameras, looking for anyone with a laptop.
- Police can also pull up a list of every phone in the area, and go through that list. Did the criminal remember to turn their phone off?
- Or anything else you can think of that might go wrong.
Problem 2 (20 marks)
Another way to steal a password is for the criminal to place a hidden camera near the victim’s PC, and record the victim as they type in their password (perhaps when they unlock it, or perhaps first thing in the morning). This works best if the victim types slowly, with only two fingers. Discuss how the criminal might do this?
Pick one type of hidden camera. It can be on the list below, but feel free to choose a hidden camera that’s not on the list.
Fixed cameras include a:
- Clock with a camera in it
- USB charger with a camera in it
- Mirror with a camera in it
- Hook with a camera in it (sticks tothe wall, or to a door)
- Smoke detector with a camera in it(sticks to the ceiling)
- Light bulb with a camera in it(plugs into a light bulb socket in the ceiling)
Mobile and wearable cameras include:
- Bottle of water with a camera in it
- Can of Coca-Cola with a camera init
- USB stick with a camera in it
- Wrist watch with a camera in it
- Tie clip with a camera in it
- Cigarette lighter with a camera init
- Pen with a camera in it (and it really writes, too)
- Car key fob with a camera in it
Your answer should cover:
1| Give the web link, or a screen shot, or similar.
2| How much does the camera cost?
3| In your answer, you might consider addressing some of these issues: (10 marks)
- Can the criminal retrieve the video data without being noticed? (Perhaps when they type their password to unlock the PC, while you are nearby, or perhaps first thing in the morning)
- Can the criminal install or move the camera, without being noticed, or looking suspicious?
- When the camera is in place and recording, does it look suspicious? Could the victim notice something odd?
4| Consider the technical specs of the camera. (10 marks)
- Does the camera give enough detail? Can it zoom in on the keyboard?
- Does the camera use a battery, or does it plug into a wall plug or USB plug? If it’s a battery, could the battery run flat before you can record the password?
- Does it record all the time, or is it motion sensitive? That is, does it only record video if there is movement? (This makes the battery last longer).
- If the criminal cannot retrieve the camera, can it be traced back to the criminal? (Fingerprints? Serial number?)
Problem 3 Some fun questions about criminal web sites (20 marks)
Describe your findings for 5 random 4-letter domain names.(4 marks each)
a. Go to the web site http://www.internetlivestats.com and write down how many web sites there are in the world today. (1 mark)
b. Scroll down a little, and look for how many web sites have been hacked today. How many have been hacked so far today? (1 mark)
c. Practically every 4-letter domain name in “.com” has already been registered. Make up five different random 4-letter domain names, such as (as a random example) tiyu.com ptjh.com cjqx.com and so forth.
Use the who is search to look up those random 4-letter domain names, and find out how many of them are registered. Many web sites link to who is for free, such as http://whois.com/whois or http://dnstoolkit.net/whois/
Of your 5 random 4-letter domain names:
- How many are registered?
- From Who is, what is the name of the contact person? It should be listed as “Registrant Name”?
- Is there a phone number, email address, or physical address?
Problem 4. Public Key Providers (20 marks)
This question is about the companies that provide public keys used in web site encryption. The key is called a “digital certificate”. Web sites with encryption start with https not http. Discuss two Public Key Providers (10 marks each).
a. Go to your favorite encrypted web site, such as a bank, or any web site which asks for a password. Click on the padlock symbol, and it will tell you the name of the company that issued the digital certificate for the web site. Alternatively, you could just pick a company from the list of recognized digital certificates for the Mozilla web browser, at: http://www.mozilla.org/projects/security/certs/included/index.html
Either way, find the name of a company that issues digital certificates for web sites. (2 mark)
b. Go to the web site of that company that issues digital certificates. Look up their contact details, and write down the company’s street address and phone number. (2 marks)
c. Browse the web site of the company that sells digital certificate. Find how much does it cost for a digital certificate for a year? (Use the cheapest choice, e.g., single-name certificate). (2 mark)
d. How does someone apply for a digital certificate from this company? Do they ask for a driver’s licence? An incorporation certificate? Or do they only ask that you generate a CSR (certificate signing request), which a web server program can make using its domain name. (2 marks)
e. In your opinion, could a criminal obtain a digital certificate from this company? Could they use it for a phishing web site like https://www.mybank.com-blahblah1234-gang.com? Why or why not? (2 marks)
Problem 5. A Cost-benefit analysis! (10 marks)
Your company’s web site is sometimes broken into by hackers, with the following estimates of probabilities and costs:
· Each day there is a 0.5% chance that a script kiddie will only deface the web site, but cause no other damage. This would cost only $20,000 in lost sales.
· Each day there is a 0.3% chance that an expert hacker will delete data and steal customers’ credit card numbers, costing $200,000.
· Remember how hackers stole all the data from Ashley Madison and killed the company? We estimate that each day there is a 0.03% chance that an expert hacker will steal all the company’s data, costing $1,000,000.
The big boss wants you to advise on which of these three solutions to buy:
- We could do nothing and accept the problem.
- A nice IBM firewall costs a huge $40,000 per year. It claims to prevent all the script kiddie attacks, and 95% of both kinds of expert attack.
- A cheap Microsoft firewall costs only $5,000 per year. It claims to prevent 90% of script kiddie attacks, and 50% of both kinds of expert attacks.
The big boss wants you to advise which to choose. Feel free to use a spreadsheet or calculator or whatever you find the most convenient to answer these questions:
· Calculate the annualized loss expectancy (ALE) for the three kinds of hacker attacks. What is the total annual loss expectancy? (3 marks)
· For the three possible solutions, calculate the total annualized loss expectancy (ALE) if that solution was used? (3 marks)
· Calculate the cost-benefit of the three different solutions (6 marks)
· If the boss asks, is there a large difference between the solutions (are two solutions about the same), or is there a clear winner? (2 mark)
· The Microsoft salesperson offers to reduce the price from $5,000 per year, to completely free. Would free software change your advice? (2 marks)
Problem 6. Cloud Computing (10 marks)
There are several cloud computing providers, such as:
- AmazonWeb Services (AWS)
- Alibaba Cloud
- Google Cloud Platform
- Microsoft Azure
- Kamatera Performance Cloud, and many others.
Pick any one cloud computing provider, and go to their web site to answer these questions.
a. I’m a criminal, and want to do password hashing for my dictionary attacks. This will need 100 servers, running Linux (not Windows). How much would this cost, per month? You can round off if you want. (4 marks)
b. Is there a 1-month free trial? Can I get 100 servers for free? (2 mark)
c. Can anyone rent 100 servers? Do they check up on who I am, or can I be some criminal with an anonymous email address? (2 marks)
d. In what country are the physical servers? Or don’t they say? (2 marks)
Comments
Post a Comment