Home   Schedule   HW   Updates    

Homework
Reading Assignment: Chapters 1 (skip section 1.4) and 3.

Lab Assignment 1 (5 points):
Download Cygwin-X by visiting http://x.cygwin.com/ and following the instructions for "Downloading and Installing". Don't worry about adding on extra modules. We'll do this later. When you have installed the program correctly, bring up an X-window (refer to user manual), type your first and last name at the command prompt and print out a screen shot.
The screenshot is due on Tuesday, January 17.
Reading Assignment: Chapter 2

Articles:
   Security Domains (Read entire article)
   TCSEC (Read the entire Introduction- from Historical Perspective up until Part I; Sections 3.1.1.2, 3.1.3.1.1, 3.2.2.1.1, 3.2.3.1.1; all of sections 6 and 8)
Reading Assignment: Chapters 9 and 10

Lab Assignment 2 (10 points):
Download and run the Microsoft Baseline Security Analyzer Tool 2.0 from here. If your are not using Internet Explorer for a browser, you may need to download a validation plug-in first. You can leave the default settings as-is when you run the tool. Save a screen-shot of your results. Then complete the "Securing Windows, Step-by-Step" lab found in Appendix C of your book. You can skip C.7 as hopefully you are already running anti-virus software. Once you have completed all of the steps, run the MBSA tool once again. Save a second screen-shot of these results. Compare the two screenshots to see if vulnerabilities that were found in the first scan were fixed in the second scan. To get credit for the lab, you only need to hand in both screenshots (either through email or hand in paper copies in class). If you are worried the changes you make to your computer may affect future performance, you can create a restore point on your computer before making the changes in Appendix C (see setting a restore point).

The second portion of the lab will involve unix security. Open your cygwin-x application. Start an X-Window. Move to the tmp directory by typing "cd /tmp." Create a file with the touch command. You can name the file your first name. So in my case, I would type "touch matt". Now list all files/directories in the /tmp directory by typing "ls -la". Notice the default permissions that were applied to the file when you created it. You can check default permission settings by using the umask command. First type in "man umask" to read how this program works (you'll have to tab further down the page until you find umask by using the space bar). Then type CTRL-Z to get back to your prompt. Type in "umask" and notice the settings. You can also check access control settings by typing in "getfacl filename" and of course replacing filename with the actual name of your file. Once you've done this take a screen shot. You can set access control settings with the setfacl command. Use the man pages to read about these commands for further assitance. To see what processes are running on your system, type in "ps -ef". Take a screen shot. Now terminate one of those processes by using the kill command. You need to identify the process ID of the process you wish to terminate. The process ID will be the number in the left most column after your user name. Type in "kill -9 PID" and replace PID with the correct process ID. List your running processes again ("ps -ef") and take another screen shot. Make sure that the proccess that you terminated is no longer showing in the list. Finally, you can view linking information regarding a particular executable. Run the nedit text editor by typing "nedit &". Make sure you type the & sign. After the editor pops up, go back to your prompt and use the "ps -ef | grep nedit" to locate the PID of nedit. You can man grep if you want to know how it works. Then type in "strace -p PID -w" to attach the strace program to the nedit process (man strace before running it). Notice the information that appears on the screen. This will probably continue to change, but take a screen shot at some point. To kill strace and nedit, go back to the prompt where you typed the strace command, list all running processes ("ps -ef"), and type in "kill -9 PID1 PID2" and replace PID1 with the process ID of nedit an PID2 with the process of starce. Both processes should end. Exit out of your X-window. Then, in the cygwin prompt, use the ps -ef command to locate the PID for xwin. Kill that process and exit out of the prompt.
All screenshots are due on Thursday, February 2.
Reading Assignment: Chapter 11

Articles:
   Database Security-Concepts, Approaches, and Challenges by Elisa Bertino and Ravi Sandhu, IEEE Transactions on    Dependable and Secure Computing, Vol. 2, No. 1, January-March 2005. (The easiest way to retrieve this article is to log on to
   https://sslvpn.pitt.edu with your Pitt credentials, select Pitt Digital Library, choose the option "Databases A-Z", click the
   IEEXPLORE link halfway down the page, and search for the above article's title).

   www.sans.org/resources/policies/Server_Security_Policy.pdf

   http://www.cert.org/security-improvement/modules/m07.html

   http://www.cert.org/security-improvement/practices/p025.html

Reading Assignment:

Articles:
   http://peter.korsgaard.com/articles/bufferoverflows.php

http://www.astalavista.com/index.php?section=docsys&cmd=details&id=38

http://www.insecure.org/stf/smashstack.txt

Here is a link to a short video presentation (no sound): tutorial.avi

Lab Assignment 3 (10 points):
This lab will consist of two parts. The first involves host security on a Windows system. Download the GFI LANguard System Integrity Monitor tool from the following URL: http://www.download.com/GFI-LANguard-System-Integrity-Monitor/3000-2653_4-10175457.html. This tool is used to maintain the integrity of files on your local host. Once you tell the software what files you want it to watch, it will create unique identifiers (cryptographic md5 hashes) for each file. If any of those files are altered, that particular file's unqique identifier will also change. When the software scans the altered file later, it will be able to tell the file was altered because it will detect that the unique identifier changed. Once you have installed the software properly, create a file on your system with your name as part of the tile of the file (e.g. mattz.txt). Then you must configure the software to scan that file. For installation and step-by-step configuration instructions, please refer to the following URL: http://support.gfi.com/manuals/en/lansim/helpcontents1.htm. Schedule the scan 10 minutes from now (record this on a screenshot). Once you have created the scan (name it whatever you want) make sure you add the new file you created to the scan (the manual tells you how to do this). Select your newly created scan, open the properties box, and choose the Schedule tab, and click the Scan Now button. Once the scan finished, alter the text file you created (add some text and save it). Once the scan runs (10 minutes from the time you set up the scan), it should detect that the file was altered. You can demonstrate this to me in two ways.First, if you have the ability to connect to a local mail server, you can configure the scan (on the Email tab) to email the altert to my Pitt email address. However, a simpler approach is to check your Windows Event Viewer. You can check this the way we did it in class or by expanding the Event Viewer in the left hand pane of your GFI LANguard System Integrity Monitor application. You'll see there was a new log created entitled the name of the software. Choose that log, select the entry that was created from the scan, and right-click it and choose properties. This is your system telling you that it detected that the file was altered. Take a screenshot. Now you're done, just email me both screenshots that you took (or hand them in class).

The second part of the lab involves cygwin-x. Open up your cygwin prompt and launch an X-window. You must launch the X-window for this lab to work. Your are going to implement the syslog daemon. Remember, syslogd is the main logging facility for unix. In cygwin, you must run a script first before starting the syslogd daemon. First, change into the /bin directory. Since there are a lot of different programs in this directory, you want to narrow down your search. Type in the following: ls -la | grep syslog. ls is the command to list files and directories. You are narrowing the list by stating you only want to display directories/files that contain the test "syslog" in them. There should be three in your list. You need to run the syslogd-config script. Do this by typing the following: ./syslogd-config Answer yes to any questions. Once finished, a new configuration file should have been created for you. Change into the /etc directory. List the files and folders using the ls command. There should now be a file called syslog.conf. You can alter what the system logs by editing this file. Open this file in any text editor. If you want to use nedit and you have downloaded it from the cygwin-x website, type in: nedit syslog.conf &. The & puts this in the background. Once you have opened the file in a text editor, take a screenshot. Notice that the bottom line does not have a # in front of it. That means that line has not been commented out. *.* means you are going to log everything. Close the file. Now change into the /var/log directory (cd /var/log). Use the ls command to list the files/directories. There should now be a file called messages. If not, type in the following to creat it: touch messages. Then type in: chmod 755 messages. This will alter the permissions of the file. Any log messages will be written to this file. Now you must run syslog. Just type in (syslog &) at your prompt. This will start the syslog daemon. Any events will log to /var/log/messages. Type in: ps -ef | grep syslog. This will confirm you are running syslog. Take a screen shot. Now try to generate a message. You can read the man page for syslog by typing in: man syslogd. You can then read what events are recorded by syslog. You can also google "syslog events" as well. Once you have recorded any event in /var/log/messages, use the cat commnand to display the results of the file to the terminal: cat /var/log/messages. Take your final screenshot. That's it!
All Screenshots are due on Thursday, February 16.

Reading Assignment: Chapters 5 and 6

Articles:
Cryptology Paper

Lab Assignment:
This lab will involve using cryptography for confidentiality, integrity, and non-repudiation. For the first portion of the lab, you need to download a packet sniffer called ethereal (www.ethereal.com). From the download page, download the Windows version. Once you download the software, just execute it. An installer will take care of everything, including installing all other necessary components. You can accept all defaults. The documentation page explains how to use the GUI to capture packets so I will not explain it here. You need to execute ethereal so that it will sniff all packets going to and from your machine. Then you need to telnet (using the DOS prompt or any other telnet client) into paradox.sis.pitt.edu. It is important that you don't provide your real username and password. You can make up any username and password and try to connect. Once you receive the rejection notice, stop ethereal. Now find the packet where the username and password were sent to the paradox server. Again, refer to the documentation (hint: you can sort packets by protocol or you can use the Filter option). Once you've located the correct packet, find the data section of the packet in the bottom window of the GUI. Take a screenshot (the username and password must be viewable). As you can see, your information was sent in "plaintext". Any attacker could sniff this traffic and steal your credentials. We must attempt to secure the confidentiality of the network traffic by using cryptography. We can do this by using a more secure protocol that uses encryption, such as SSH (Secure Shell). In order to use ssh, you must use a client that ssh built into it. You can use cygwin (if you haven't uninstalled it yet). Or you can download a free ssh client. This site will give you plenty to choose from- http://www.openssh.com/windows.html. Using any of these clients is pretty simple. Typically, you have to choose ssh as a communication option, enter the server destination (paradox.sis.pitt.edu), and then enter your real username and password. Don't worry about entering a public key or verifying the server's public key (you can usually bypass this by selecting the correct option to skip it). If you already use WSFTP to upload files to a server (doesn't have to be paradox) then you can choose to use ssh instead of telnet. Whatever you choose, make sure you start ethereal before you login with the ssh client. Once you've logged in successfully, stop ethereal. Locate the same packet used to send your username and password. Notice how the data is encrypted and is not legible. If an attacker were to sniff this data, he/she would not be able to read it. Take a screenshot of ths packet.

Now we will use cryptography to prove integrity. Visit the astalavista webiste (www.astalavista.com) and locate the download page for the tool called superscan (you can search the site for this software and choose the one that says "v4.0"- the file name is superscan4.zip). Notice how there is an MD5 Checksum value. Copy this value into a text editor for later use. Download the file. Now, just as you located an ssh client, you need to download a free "MD5" hashing software for Windows. You can google for one as there are many out there (I used one from www.fastsum.com). Also, cygwin has a built-in command line program called md5sum as do many linux distributions. What you need to do is create a hash of the superscan file you downloaded previously using the MD5 software (the software is typically straightforward and usually you just need to choose the file you want to create a hash for and click a button). Take a screenshot of the result. Now make sure your result matches the MD5 hash value you copied into your text editor. If they match, that means the file was not altered (unless of course somebody hacked into the astalavista website and altered the file and changed the MD5 value that is displayed). Now we have used cryptography to prove integrity.

Finally, we will use cryptography to prove non-repudiation/authentication. Log in to your Pitt acccount using a browser (http://my.pitt.edu). Double-click the lock in the bottom-right of the page. Find where it shows who the issuer of the certificate is (i.e. who the certificate authority is). Take a screenshot. Then locate the public key field and click on it. Notice the algorithm that is being used. Take another screen-shot. Now locate where your certificates are stored (for IE, select Internet Options- Tools- Content tab- Then click the Certificates button). Find the certificate authority that issued the certificate for my.pitt.edu within the "
Trusted Root Certification Authorities" tab (there may be more than one that matches but make sure the "class" value is correct). View the certificate and take your final screen shot. This shows that the certificate for my.pitt.edu was vouched for by that particular certificate authority. This certificate is what authenticates my.pitt.edu to our machine.
This lab assignment is due by Saturday, March 25.