CS 361S - Network Security and PrivacySpring 2014FINALMay 12, 2014DO NOT OPEN UNTIL INSTRUCTEDYOUR NAME:Collaboration policyNo collaboration is permitted on this exam. Any cheating (e.g., submitting anotherperson’s work as your own, or permitting your work to be copied) will automatically resultin a failing grade. The UTCS code of conduct can be found at http://www.cs.utexas.edu/undergraduate-program/code-conduct1Final (125 points)Problem 1 (28 points)Circle only one of the choices (4 points each).1. TRUE FALSE BGP route updates are authenticated by 16-bit randomtransaction IDs.2. TRUE FALSE To use a session-filtering firewalls, applications such as Webbrowsers and FTP clients must be modified accordingly.3. TRUE FALSE It is possible to create an anomaly detector which producesno false positives.4. TRUE FALSE Recall that an RSA modulus n is a product of two largeprimes. If someone discovers an efficient algorithm for com-puting the greatest common divisor of two numbers, thenbreaking RSA will become feasible.5. TRUE FALSE The main reason why WEP is insecure that the attacker whoknows the plaintext can easily recover the keystream by XOR-ing this plaintext with the ciphertext.6. TRUE FALSE With properly validated, unforged certificates, HTTPS secu-rity guarantees hold even if DNS has been poisoned.7. TRUE FALSE You are attempting to connect to a server which presents aself-signed certificate. If you accept it, your security is thesame as if you accepted a certificate issued by an untrustedcertificate authority.Problem 2Problem 2a (4 points)What is the difference between a Web attacker and a network attacker?2Problem 2b (4 points)What capabilities do Web attackers have that allow them to perform cross-site request forgeryattacks against websites that rely only on cookies for authentication?Problem 2c (4 points)What capabilities do Web attackers have that network attackers do not have?Problem 3Recall PwdHash, a browser extension that automatically converts user’s password into website-specific, random-looking values. When the user visits a website like chase.com and typesin a plaintext password like monkey, the browser instead sends Hash(monkey,chase.com),where Hash is a cryptographic hash function. This hashed value is what the website sees asthe user’s password.Problem 3a (4 points)Suppose that the user uses the same weak password (eg, monkey) at multiple bank websites.Does PwdHash protect the user’s password from being cracked by a brute-force attack?If so, how?Problem 3b (4 points)Suppose that the user visits a fake website set up by a Web attacker—for example, a websitethat looks citi.com but is hosted at citi.com.cn—and mistakenly types his true citi.compassword into his modified browser.3Does PwdHash protect the user’s password from being stolen and used by the Web at-tacker? If so, how?Problem 3c (4 points)Suppose that the user accesses a banking website over HTTP via a malicious Wi-Fi accesspoint.Does PwdHash protect the user’s password from being stolen and used by the networkattacker? If so, how?Problem 4 (5 points)Describe at least two changes that could be made to the C compiler to prevent buffer overflowattacks. Explain why these defenses would be effective.Problem 5 (4 points)SPF and DKIM are two defenses against spam.With SPF, the receiving email server performs a DNS lookup on the “From:” domainname in the received message. As part of the DNS response, it receives the list of IP addressesauthorized to send email from that domain. If the IP address from which the message arrivedis not on the list, the message is rejected.With DKIM, the sending email server digitally signs the message with its private key.The receiving email server performs a DNS lookup on the “From:” domain name in thereceived message. As part of the DNS response, it receives the public key of that domain.4It uses this public key to verify the signature on the received message. If verification fails,the message is rejected.Describe an attack on SPF that does not work against DKIM.Problem 6Consider a stateless packet filtering firewall installed at the gateway of a corporate network.Assume that all traffic to and from the network flows through the firewall. The format of afirewall rule is as follows:Interface Action SourceIP SourcePort DestIP DestPortProblem 6a (4 points)Can a packet filter block all external attempts to connect using HTTP to a Web serverlocated at a particular address within the corporate network, but permit HTTPS access tothe same server? If yes, what would the firewall rule(s) look like? If no, why not?Problem 6b (4 points)Can a packet filter block all incoming email messages containing the word V1AGRA? If yes,what would the firewall rule look like? If no, why not?5Problem 6c (6 points)List three different network attacks that even a stateful firewall cannot protected against.Problem 7 (10 points)Suppose that every packet observed by a network-based intrusion detection system (NIDS)belongs to one of the following mutually exclusive categories: legitimate (88% of all traffic),known worm (4%), distributed denial of service (4%) or port scan (4%).The NIDS correctly classifies all known-worm packets. A legitimate packet is classifiedas legitimate with probability 91%, and misclassified as belonging to any of the three attackcategories with equal probability. A DDoS packet is classified as DDoS with probability50%, as a known worm with probability 40%, and as a legitimate packet with probability10%. A port-scan packet is classified correctly with probability 85%, and misclassified as alegitimate packet with probability 15%.If the NIDS announces that a particular packet belongs to a known worm, what is theprobability that this packet is not a legitimate packet? Show your calculations.6Problem 8 (4 points)How does a network telescope work? Give an example of a real-world worm or virus thatwould have been difficult to analyze using a network telescope and explain why.Problem 9 (4 points)The Bank of Molvanˆıa website uses authentication cookies in which the username and times-tamp are encrypted with RC4(K), where K is the fixed key known only to the website itself.If you are a customer of the bank, explain how you can log in under the username of anyother customer.Problem 10For each of the following threats, explain in detail what mechanism is used in SSL/TLS toprovide protection, and how it is used. Do not make any assumptions about the specificencryption or