Chapter 8

The following are three possible logon scenarios. Explain why option (c) below is preferable in terms of system security. a. Welcome to \(X Y Z\) computing Enter username: jones Invalid username Enter username: b. Welcome to \(X Y Z\) computing Enter username: smith Enter password: password Invalid access Enter username: c. Enter username: smith Enter password: password Invalid access Enter username: smith Enter password: FpQr56 Welcome to \(X Y Z\) computing

Consider a password hash function that works as follows on a system where the password must contain only letters: Step 1. Take each letter in the password and replace it with a number representing its place in the alphabet. Step 2. Take each number from Step 1, multiply it by 2 , and add 1 . Step 3. Combine the resulting numbers, separated by Os, into a single string. This string is the encrypted password. a. Given the user password "user", what would this hashing algorithm produce as the final encrypted password? b. Comment on this hashing algorithm in terms of the security it provides for user passwords.

The default passcode on a cell phone is usually 4 digits, each 0-9. a. How many different passcodes are possible? b. If you can enter a 4-digit passcode in one second, about how long would it take you to try all possible passcodes?

Password characters on a certain system are limited to 26 uppercase letters [A ... Z], 26 lowercase letters \([a \ldots z], 10\) digits \([0 \ldots 9]\), and 3 special symbols [#, \$, \%]. Suppose a password-cracking tool can generate and test \(10,000,000\) character strings (potential passwords) per second. Could all possible passwords of length 10 or less be generated and tested in under one week's time? (Use a spreadsheet to help find the answer.)

Merriam-Webster's Collegiate Dictionary, 11th ed. (Merriam-Webster, Inc., 2003), contains over 225,000 entries. Using a password-cracking tool that can process \(1.7\) million words per second, how long would it take to test each word in the dictionary as a possible password?

A virus attacks a single user's computer and within one hour embeds itself in 50 email attachment files sent out to other users. By the end of the hour, \(10 \%\) of these have been opened and have infected their host machines. If this process continues, how many machines will be infected at the end of 5 hours? Can you find a formula for the number of machines infected after \(n\) hours?

A certain individual has a Hilton account, a RitzCarlton account, and a Marriott International account. The following email message is sent to this individual. Point out clues that should alert this individual that he or she is the victim of a phishing attack. We here at Marriott appreciate your loyalty as a customer. We want to make things more easy for you when you travel, so we have partnered with Hilton and Ritz-Carlton to create a unified rewards program. Now when you stay at any of these fine brand hotels, you will earn award points that can apply to a future stay at any of the three hotels. For you we will quick set this up, just click on the link below to get started: WWW.Mariott.com

Risk analysis is one way to monitor security in an organization. Risk analysis can be a timeconsuming process; it involves a number of steps, some of which require "educated guessing." Nevertheless, the process alone raises awareness of security issues even if no immediate actions are taken as a result. The steps are: i. Identify assets (infrastructure, people, hardware, software, reputation, etc.). For the rest of this list, we'll concentrate on a single asset. ii. Determine vulnerability (what event or events might happen to the asset. For example, the building could catch fire, the website could be hacked, etc.).For the rest of this list, we'll concentrate on a single asset vulnerable to a single event. iii. Estimate the probability per year of this event (based on past data, expert estimates, etc.). Take current security measures into account. iv. Estimate the expected cost if this event occurs (cost to repair or replace, cost of lost business, etc.). v. Compute risk exposure \(=\) cost estimate \(X\) probability estimate. vi. Identify any additional security measure \(X\) that would help protect against this event, determine what it would cost, and do a calculation of the risk exposure with the additional security measure \(X\) in place. vii. Do a cost-benefit analysis: (Risk exposure without \(X\) - Risk exposure with \(X\) - Cost of \(X\) You have a small web-based business that uses a single server to manage your webpage and your customer information. Over the past four years, your website has been hacked and taken down twice. You estimate that the cost of this event is \(\$ 600\) to clean the server and reload the webpage and \(\$ 12,000\) in lost business while the server is down. a. You could purchase a backup server for a cost of \(\$ 3,000\), which you estimate would reduce the probability per year of losing your website to \(0.2\). Would this be a costeffective security measure? b. What if you reevaluate the probability per year with the backup server to be \(0.3\). Does this change your answer?

Using a Caesar cipher with \(s=5\), decode the received message RTAJ TZY FY IFBS.

The DES algorithm combines two bit strings by applying the XOR operator on each pair of corresponding bits. Compute the 6-bit string that results from \(100111 \oplus 110101\).