UNIVERSITY OF ZIMBABWE 2023 APRIL Examinations Faculty: Computer Engineering Informatics and Communications Department: Computer Science Paper Code and Title: HCS412, HCT 420, BSFS — Computer Security; HETT402 — Computer Networks & Network Security. Duration: Two (2) hours Examiner: Miss Jowa Authorized Material: None INSTRUCTIONS . This paper contains No Sections and Five Questions. . Answer all questions. . Start each question on a new page. . This paper comprises of five (5) printed pages. Page 1 0f5Question 1 [25 marks} a) People pick bad passwords, and often use thé same bad password actoss many sites. Someone propases using the block chain to solve this problem: for every site S. user email address M, and password P, put {SHOP on the block chain, where H is a strong eryptographie hash function such as SHA-3, i. Discuss the merits of this idea, on whether itis a good or a bad idea. iL Discuss if it would be better if sites put {H(S. M, P)} an the blosk chain instead? (S marks) Zoomn has been criticized for por security: bad cryptography. lack of end-to-end ‘encryption, guessable meeting [Ds that can lead to Zoom-bombing. apparently poor quality code per CyberITL's metries. abuse of privileged mechaniyms on Macs, ete ‘Suppose they respond by sayin, “We are going to put a firewall in front of our servers: all participants’ computers should also be behind a firewall Briefly explain if this will help or aot 48 marks) Given a firewall that ¢an examine the contents of packets, including reconstructing conngetion streams, explain how it protects against transmitting unencrypted eredit card numbers over the network (§ marks) Ag the Chief Security Officer (CSO) of a company, you have recemty come to believe that the application that your company relies on for most of its revenue is.bugey and probably insecure, However, the last two times someone tried patching it, a year or $0 ago, it did not work at all, and people had to scramble to back out the patch before the company lost oo much money, There are reports anfine that newer patches are also problematic, and of course you do not know haw many security holes are not patched The task force you have assembled to'study the issue has come up with three options: “Apply all patches om test system and try very hard to get it working. Leave the application alone, but strengthen your internal logging. monitoring, and intrusion detection, so that you'll leam if the application was penetrated Buy a competing product that does the same thing, However, the API to this competing product is very different, so it will take a fair amount of programming effort to make it usable m your enviranment. Additionally, the company that ‘created it is new and does not have much of track record, though their CTO and CSO are well known and highly respected. Discuss the merits/demerits of each of the options given with clear reasoning. Atso pick the most suitable method explaining why this is $0. (10 marke) Question 2 [15 marks} ‘You are sitting in a coffee shop enjoying 2 latte and doing some relaxing computer secu reading at hutpr/awesome-security-stuff.com. You are connected on the cuffce shop's Wi-Fi nctwork. Page 2 of 5a) Assuming you are only browsing http://awesome-security-stuff.com, who is potentially able to observe what aiticles you are reading’ (3 marks) Briefly discuss a technology that could reduce the number of parties in part a) that can observe your traffic (3 marks) If-you use the technology you listed in past b). who will still be able ta know a complete list ofall the articles you view? (3 marks) ‘You notice that each article has « Facebook Like button, loaded as such: (3 marks) . allowing you te indicate on Facebook that you enjoyed this article, If Facebook wanted to, could it track what articles you are visiting, if you don't click on the Like button? Justify your answer. Assuming you were using a computer provided in the coffee shop, and you accessed your email account from this computer. Before leaving the coffee shop, you made beyond any doubt that your email account was now pot open within the browser window. The next user that came in behind you utilized the same browser to re-access your account, Th began to send emails from it to fellow students and university management, Briefly discuss what could have happened and the steps to be taken lo prevent this from happening 3 marks) Question 3 [20 marks} 2 The University of Zimbabwe wants to implement an Online Examination System where students svill write open book examinations on paper, download exam using mobile phone or laptop in the comfort of their homes, Afler downloading the exam they are supposed to write a timed exam. When they have finished writing the exam tlfey sean answer sheet using the clear scanner app on their mobile phones to upload to the exam system, a) During the exam there is a network disruption and the candidates have te log again, What security measure will you employ to ensure it is the correet candidate Writing the examination? (3 marks) b) How do you prevent and check for collusion and cheating using examination system? (3 marks) Briefly discuss the security breaches that.can affcet the online examination system and the measures you can employ to overcome the breaches. {3 marks) Describe a scheme that can be used for coming up with the students passwords, explaining how yout requirements improve security. Mention possible attacks on passwords that do not follow the scheme you have suggested (3 marks) Which methods can you use (0 prevent tnauthorized exam registration of (3 marks) ofan unregistered student: from 8 botnet Page aofsEver since Covid-19, university employees are increasingly connecting 1 the university's networks remotely via mobile devices such ws laptops, tablets and smartphones. Remote access needs to satisfy five essential requirements to be efficient and secure and these are Authentication, confidentiality, access control, integrity and availability 4S marks) i. Briefly discuss. how a VPN achieves secure remate access. ii, Which other method can be used ta achieve secure access, briefly discuss the chosen method. Question $ {22 marks} a) Suppose that someone sugdests the following way to securely confirm that the bo of you are both in possession of the same secret key. You sreate a random bit string the lengtt of the key. XOR ic with the key, and send the result over the channel. Your partner NORs the incoming block with the key and sends it back. You check. and if what you receive is ‘your original random string, you have verified that your partner has the same secret key Briefly discuss if this scheme Is secure. (3 niarks) ation is-an essential part of secure communications. with your knowledge of public key cryptography. briefly explain how Alice can Confirm the identity of Bab, (4: marks) One of the requirements of the H. bility and Accountability Aet (HIPAA) is that health care organizations must protec ies from unauthorized access. Would it be better to uses mandstory or a diseretionary access control system to control access to patient files? Explain your answer (S marks) The following files are shown by an Is -I command on a typical Unix system exresrex T charlie acct 70483 2008-01-04 22:53 accounting -rw-— 1 alice acct 139008 2008-05-13 14:53 accounts -rwxr-r-n I system system 230482 1997-44-27 22:53 € Asst -rw-rere Lalice users 7072 2008-96-01 22:53 ev.txt --r---— 1 bob gurus 19341 2008-06-03 13:29 exam bebuuees —r-— 1 alice gurus 6316 2008-06-03 16:28 solutions Unix users Alice and Bob are both members of only the group users, while Charlie isa member of only the group gurus, Application editorallows users to read and write files of arbitrary name and change their permissions, whereas application accounting only allows users to append data records to the file accounts, Draw up an access control matrix with subjects {alice, bob, charlie} and objects {uccounts, ev.{Xt, exam solutions} that shows for each combination of subject and object whether the subject will, in principle, be able to read (R). (overwrite (W), or atleast append records (A) to the respective abject (10 marks) Questian 5 [18 marks} fa) Suppose an attacker steals the private key of a website that uses TLS, and remains undetected. What ean the attacker do using the private key? (3 marks) Page @ of 5‘b) A certificate authority that issues a TLS certificate for example.com can also passively decrypt TLS taffic to example.com, (3 marks) ¢) Briefly discuss the three properties of hash fine (G marks) d) Alice and Bob just arrived at Brewed Awakening coffee shop, Eve is already there, enjoying a cup of tea Turns out that Brewed Awakening’s network has ne encryption. Alice warns Bob that itis not safe te use this connection, but Bob disagrees. Bob connects to the WiFi, and tests that he has Internet connectivity by going t© om. It heads without issues, Bob says the Alice: “See, no. es6 was totally safe!” If Bob is correct and the access to kewlsovialnet.ce safe, explain why he is correct, If he is not correct, provide (4 marks) Bob then further decides to check his bank be @ over this connection so that he can see if he has enough money to buy the last muffin, * Eve hears this and panics! She wants the last muffin too but is waiting for her friend Mallory to bring enough cash to bur She is now determined to somehow stop Bob from buying that last mufiin by preventing him from checking his bank account. Through the corner of her eve, Eve sees Bob start to type https://bank,com in his browser URL network aliacks Eve can do to prevent Bob from checking his bank account. For each attack, describe clearly in ome or two sentences how Eve performs the attack, (5 marks) End of Paper