Authentication & Comp.Secruity

1.       Investigate
what the “Nothing to hide” argument means regarding privacy and
government/corporate surveillance. List and analyze, giving your reasoned view,
the arguments for and against it.

“Nothing to hide” argument revolves around the idea that a government should be
able to track and store all information that a person has viewed and stored via
the internet, this would include pictures, videos, bank account information,
download history and much more.
From the perspective of a user for Nothing to hide is that most corporate
business such as Google are already tracking everything that someone does on
the internet, for example in order to access Google Maps someone will need to
first allow their location to be shared with Google, this means that Google
know your exact starting position, route and destination. With this in mind the
government are raising the point that as this information is stored by business
already therefore if the government were to gain access there would be no further
breach of information.Similarly at the moment governments have the means of
accessing this but they need reasonable evidence first in order to gain access.

Most people
who are unaware of the situation, including myself, before researchingtook the
perspective of “I don’t have a problem with the government seeing my
information as I have nothing to hide”, but while reading through an article I
came across a statement that was raised by Ed Snowden which was“Saying
you have nothing to hide is the same as not caring about free speech because
you have nothing to say”(Medium, 2016). This made me
question my initial thoughts as even though a person has nothing to hide they
should still be entitled to their own privacy.
Another issue that was raised was that if the government were given access to
all information, what is stopping them from selling the collected data to third
party business, these businesses will then be able to have more targeted
advertisements? Currently there are issues with Facebook and Google who are
exploiting this as the moment as they track peoples search history’s and then
set advertisements based on those searches.
Finally what people do not understand is that if the government were given
access to your private information, this allows them to see anything that is
deemed confidential, this includes: DNA, hospital records and many more. Not
only hospital information but this allows government the government to surveillance
a person whenever they want, this includes views from cameras on laptop
webcams, console cameras such as Xbox Kinect and even phone cameras.

To conclude
prior to in-depth research of the “Nothing to hide” argument I did not have
much of an opinion on the matter, so naturally I fell into the “I have nothing
to hide so I shouldn’t be worried” mind set, but with further investigate I
began to release the extent of the power this would pass on to the government
and also bearing in mind that once they have this power we cannot retract this
argument. I believe that the government should not have the ability to view
everything a person does browsing the internet, not only due to having no
privacy but also the threat that our information would therefore be more likely
to be stolen as the government need to store this information somewhere leading
it to be more likely to be attacked by hackers. As previously discussed there
are positives and negatives to this argument but there is potential for this
power to be abused and this is where the trust between government and the
community are not great enough to allow the this sort of power.

2.       Describe
in detail all known attacks against the Diffie-Hellman protocol, and the most
common countermeasures to stop them. Consider the date of the attacks and
changes over time that reduced or increased their relevance.

there are two main known attacks against the Diffie-Hellman protocol which are
Logjam against TLS protocol and Brute Force attacks on prime numbers.

The Logjam
attack is based off the “Man in the middle” attack, but there was a
prerequisite in order to complete this attack. When the Diffie-Hellman protocol
was first released it was initially used by governments back in the 1980s for
encryption though communication. One of the first cipher suites used was
DHE_EXPORT, which was 56 bit, This means that the client and server were only
allowed to use 512 bit parameters while encrypting. At the time this was very
secure and what was indented in order to achieve encryption, but moving forward
fifteen years the computers that were used in the 1980s was purchasable by
everyday business and individuals. As computers were getting increasingly
computationally powerful hackers saw the opportunity on users who used legacy
browsers, these legacy browsers only supported DHE_EXPORT cipher suit which a
hacker was able to brute force all the possible combinations to allow
themselves to view that secure information that was being transminited.
In order for business to stop this kind of an attack they first disabled the
use of DHE_EXPORT and many other weak cipher suites and additionally encouraged
users to update their browsers. Unfortunately due to local administrators being
unaware of Logjam attacks and default settings on servers which still use weak
cipher suites Logjam attacks are still present over twenty years later.

NSA released to the public that even though the Diffie-Hellman protocol is one
of, if not the best ways to communicate to create symmetric keys, they did
realized that they were flaws in the approach that it takes. Currently
Diffie-Hellman protocol uses 1024-bit keys which with common technology would
take years and thousands of dollars to crack one of the prime numbers that are
used in the protocol. What NSA observed is that only a set amount of prime
numbers are used in each communication. Researchers wrote “Since a handful of primes are
so widely reused, the payoff, in terms of connections they could decrypt, would
be enormous”(HENINGER, 2015), NSA were then able
to calculate that even by cracking two of the large prime numbers that would
allow them to eavesdrop on 20% of the top HTTPS websites. At the moment it
seems that this issue is not as pressing as what it makes out to be as the NSA
are normally around ten years in front of current technology and mathematic
standards, but even though the issue has been highlighted it now time to think
of what can be done in order to mitigate this problem before hackers are able
to exploit it.
    Currently the only resolution to this
issue is to increase the bit length from 1024 to 2048, the knock on effect here
is that even though this approach does irradiate the potential of brute force
attacks it does have knock on effect on the speed in which communication takes
place, as due to the prime numbers being bigger the time in which to generate
and calculate the keys with be drastically increased. The other alternative is
to wait for quantum computers, not only does this resolve the issue of time
taken to complete the mathematic functions involved but also allows the bit size
to be increased. Once again this only resolves the issue until quantum
computers become purchasable by the public as they can be used by hackers to
brute force the keys and or prime numbers used.
Overall the battle between attacks and mitigations on the Diffie-Hellman is an
ongoing battle and forever will be until a improved protocol will be created.

3.       Write
an in-depth description of the FREAK SSL/TLS Vulnerability, describing its
potential impact and the countermeasures/mitigation techniques used

(Factoring RSA Export Keys) is an exploit in SSL/TLS protocols which was
introduced by the U.S cryptography export regulations. FREAK is a man in the
middle attack where the hacker will use legacy software to use public key
encryption with moduli 512 or less encryption (AKA RSA_EXPORT).

created by Netscape around the 1990s for encryption for credit cards, at the
time 512 bit encryption was sufficient encryption for everyday users. NSA
noticed that 512 bit encryption would not be difficult to crack with the
computer power they had but understood that it was only NSA who had the power
to do so. Moving forward around 15 years and this vulnerability was forgotten
about, but due to the increase of computer power hackers began to realize that
cracking 512 bit encryption or less was a very achievable task. In order for an
eavesdropper to use this sort of an attack they would need as little as $100 of
cloud computing and use an algorithm called Number Field Sieve which factories integers
well over 10100.The element of FREAK that made the attack so
dangerous was the ability to force RSA_EXPORT cipher suit while sending
encrypting data over HTTPS therefore making the client the target of the attack.
Most companies used software called OpenSSL or SecureTransport as their SSL
encryption but this is where the point of failure was, due to a bug in these
software attackers were able intercept and force weak encryption. What was more
outstanding was that this vulnerability was around for over 15 years. Knowing
this there were a lot of browsers that were susceptible to this attack
including Android and iPhone default browsers, not only was it just browsers
that were affected but also the operating systems such as Windows server 2003
that ran things such as ADFS or Mail servers.

Both Microsoft
and Apple failed to find this bug and due to the sheer amount websites
(including government websites) that were vulnerable to this attack they needed
to act fast to mitigate the damage. The attack was noticed on the 3rd
of March 2015 that lead Apple to release a patch on the 9th of March
and Microsoft to roll out on their next sprint on the 10th(Wikipedia, 2018). Initially in
order to reduce the impact, users were advised to use browsers such as Google
Chrome and Firefox which were not susceptible to the attack, and although this
did reduce the attacks, it was the patches to OpenSSL and SecureTransport that
announced the attack redundant.

Here is
what was advised for each user to terminate further FREAK attacks:

Administrator – Disable TLS export cipher suits and any other known cipher
suits that were known to be insecure.

A user –
Ensure that they had the most up to date web browser of their choice. Users
were strongly advised to use Firefox as they had full immunity to the attack.

Developer –
Ensure that all TLS libraries were up to date including, Apple Secure Transfer
and OpenSSL, furthermore confirm that all software does not offer Export cipher
suites under any circumstances.



4.       How
can attackers bypass firewalls? Describe at least 4 possibilities providing
enough technical details and some tools and countermeasures, if applicable.

personal experiences and research the four most common ways of bypassing a
firewall are Phishing, IP address spoofing, Social Engineering and SQL injection.
A couple of these techniques were used when technology was not secure as it was
today but some are still prevalent to date and are still used as a first step
in gaining access into a secure network.

emails – Phishing emails is a method where an attacker creates an identical
template of a corporate email, but within the email is a link to either a
website that is created by the hacker to mimic the already existing website
that is normally used within a business that will store credentials of the
internal user, or will install a key logger in the background in which the
attacker will be able to record all keystrokes by the victim of that attack.
With the increasing number of programs that have been created phishing emails
have become more and more popular with an increasing in successful attacks.
Currently there are a few ways in which this sort of attack can be mitigated;
first business can enroll employees on courses such as Bobs Business which
informs employees on the most common ways on spotting a phishing email. Alternatively
network administrators can set rules on a mail server where any email address
with a certain domain or include links/domains that could be deemed malicious
and sent to quarantine.

Spoofing IP
addresses – A firewall limits the connections to a network normally by setting
rules that only allow a finite set of IP address to connect. If an attacker was
able to find out the ranges e.g 52.310.0.0 – 52.310.255.255 an attacker would
be able to set their static IP to one of these ranges which makes their
connection look like an employees. In order to reduce the chances of this sort
of attack, other than changing the IP address range of the network a method
called Packet Filtering can be imposed on the firewall. What packet filtering does
is look at the headers of any packets that are incoming and looks through the
source code to see if it matches the ‘Spoofed ’IP address. The reason why this
is so effective is due to packets always leaving a trace of the original IP
address that the packet originated from, if this is found then the packet is
dropped and the connection is closed.

Engineering – This technique involves targeting employees on releasing or
changing sensitive information that otherwise is not the users. There many
different ways, in which an attacker is able to social engineer, an example
includes ringing an internal help desk impersonating a colleague. In order to
counteract this sort of an attack what business normally do is have a criteria
for the helpdesk that a customer or employee will need to answer in order to
confirm that they are the account holder This may include things such as
security questions or email verification, alternatively it could be a mixture
of these to improve security. Social engineering is currently the most common technique used by hackers, as of May 2016 according to
the FBI social engineering is resulted in losses of around £2.4 billion(Perez, 2016). The highest than
other attacks mentioned.

SQL Injection –Similarly how social
engineering’s aimed on changing confidential information, SQL also does this
but is based around attacking the database that the information is held
directly rather than a helpdesk employee. It works by executing an SQL
statement such as UPDATE, DELETE, ADD etc, this is done on a request to the
database and attacks poor quality security. In order to mitigate this,
databases can share sensitive information with a client by encrypting the data
on the database and in transit; furthermore PHP can be placed as a part of the
request which adds a backslash for the SQL parser to confirm where the end of
the request is, this ensure there is no trailing quires.

5.       Write
an in-depth description of one of the POODLE/Heartbleed/Shellshock
vulnerabilities against SSL/TLS, extracting possible security lessons from them
and detailing how they have been stopped.

was the name of a bug that was present in OpenSSL from around 2012 to 2014. The
name Heartbleed was named after the operation that was taken advantage of which
was named a heartbeat. When a user connects with a server they will first need
to establish a connection to set up a session. As there are a limited amount of
sockets on a server it needs to know which ones are still valid and does this
by implementing a heartbeat. The heartbeat acts as a send receive message and
can be as big as 64Kb, letting know that the client still needs information
from the server. Heartbeat works by the client sending a message up to 64Kb to
the server which send back the same message. The exploitation used was when a
hacker sent a 1Kb message from the client but masking it as a 64Kb message, the
server will then reply with that 1Kb message but will pad it with 63Kb. The
content of this 63Kb will be random information from the server, mostly this
will have garbage but in some instances it will hold usernames and passwords
from the database. What was more problematic was that this exploitation could
be done multiple times, meaning that if the hacker did not receive anything of
interest initially they would have able to use the vulnerability again until
they received something they needed or was of interest to them.

To confirm,
the issue was not with the SSL/TLS protocol itself but was with the OpenSSL
software but as OpenSSL is the most popular software used a lot of web servers
were vulnerable. As of May 2014 they say that 1.5% of the 800,000 most popular
websites that use TLS are still vulnerable to Heartbleed(Wikipedia, 2018). The vulnerability
was patched early April 2014 and added to the Common Vulnerabilities and
Exposure database, this did resolved the issue but in order for a server to
fully rid of the bug there were other procedures that existed to fully mitigate
the issue.

1.       Patch systems that have/would be
susceptible to the bug – When the fix was rolled out all servers running older
versions of OpenSSL need to be updated.

2.       Regenerate private keys – As the
Heartbleed was used to gain information from the server the message dumps could
have contained private keys used from encryption either in conversation with
another client and a server or communication with services such as ADFS

3.       Installing new Certificates –
Similar to the previous steps, hackers could have obtained the certificates
used to authenticate a client and a server therefore an attacker could redirect
traffic to a dummy website posing as the real web server and the browser would
not know as they have the certificate as proof.

4.       Reset passwords – Once again as
passwords could have been view from the memory dumps passwords could have been
leaked. Not only could this bug release users passwords on the server but could
also affect administrators as well.







HENINGER, A.H.A.N., 2015. How is NSA breaking so
much crypto? [Online] Available at: [Accessed 9 January 2018].
Medium, 2016. Why
privacy is important, and having “nothing to hide” is irrelevant.
[Online] Available at: [Accessed 09 January 2018].
Perez, R., 2016. 60%
of enterprises were victims of social engineering attacks in 2016.
[Online] Available at: [Accessed 10 January 2018].
Wikipedia, 2018. FREAK.
[Online] Available at: [Accessed 11 January 2018].
Wikipedia, 2018. Heartbleed.
[Online] Available at: [Accessed 14 January 2018].