CS2413 Information Security

Tutorial 2024-01-12
1. Which of the following is the greatest risk
when it comes to removable storage?
A. Integrity of data
B. Availability of data
C. Confidentiality of data
D. Accountability of data

2024-01-14
2. You are developing a security plan for your
organization. Which of the following is an
example of a physical control?
A. Password
B. ID Card
C. Encryption

2024-01-14
3. A user receives an email, but the email client
software says that the digital signature is
invalid and the sender of the email cannot be verified.
The would-be recipient is concerned about which
of the following concepts?
A. Confidentiality
B. Integrity
C. Availability

2024-01-14
4. Cloud environments often reuse the same physical hardware
(such as hard drives) for multiple customers. These hard drives
are used and reused when customer virtual machines are
created and deleted over time. What security concern does
this bring up implications for?

A. Availability of virtual machines

B. Integrity of data
C. Data confidentiality
D. Hardware integrity

2024-01-14
5. When is the system completely secure?
A. When it is updated
B. When it is assessed for vulnerabilities
C. When all anomalies have been removed
D. Never

2024-01-14
https://www.cbc.ca/news/business/etransfer-fraud-security-1.5296860

A Toronto-area contractor says it was "pretty

creepy" to discover someone had hacked into his
email and impersonated him — convincing
customers of his family-owned granite
countertop business to send thousands of
dollars via e-transfer.
The fraudsters then stole the payments.
"You can't think of something like this
happening," said Sarmen Sinani, of Markham,
Ont.
"They [fraudsters] were saying, 'Send me the
money. And don't send a cheque. Just e-transfer
it.'"
Sinani is one of more than 200 people Go Public
has learned were recently targeted by fraudsters
who stole tens of thousands of dollars, sent via
Interac e-transfers, by breaking into email
accounts and redirecting the money.
To his surprise, his client said she had e-transferred it on March 15. Sinani searched
through deleted emails and discovered a fraudster had impersonated him and told his
client to e-transfer $2,775.

"The hacker would alter my conversation to them [his customer] and alter their
conversation to me," said Sinani. "Basically they were taking full control of two people,
just going back and forth. It's unbelievable.“

Posing as Sinani, the fraudster told his client he had an out-of-town family emergency
and instructed her not to stop by the store to drop off a cheque.
Instead, the fraudster told her to send an e-transfer to a new email that appeared similar
to the actual email for Sinani's family business, Sinco Marble and Granite.

Then, the fraudster posed as Sinani's client and altered her emails, telling Sinani that she
was dealing with a family emergency and couldn't come to the shop to pay the deposit.
https://www.ibtimes.co.uk/cybersecurity-experts-warn-user-credentials-are-more-vulnerable-now-2018-
1683179?&web_view=true
Question 1: Based on your
understanding on the news, what are
the main challenging issues that we
adopt the password as a way for
authentication?

A1:
1. For strong security, password is
not user-friendly, we have to
memorize a long password.
2. For multiple services, it is hard for
us to memorize multiple long
passwords. For a short time, we
may remember all of them.
However, for a long time, if we do
not often use them, we will forget
some of them.
3. Use the same password for
multiple services is vulnerable.
https://www.darkreading.com/application-security/zoom-brings-two-factor-authentication-to-all-
users/d/d-id/1338885?&web_view=true
Question 2: Based on the news, what
is the two-factor authentication (2FA)?
Can it address the “not user-friendly”
issue of password? Is there any
weakness in the two-factor
authentication?
A2:
1. Authentication no longer depends
only on the password, but rely
also on another source (SMS, call)
for authentication.
2. We still need strong password.
3. If password is guessed, phone is
lost, 2FA may be not sufficiently
secure.
E: Define authentication is invalid, if the following two events occur.

E1: an attacker correctly guesses the password.

E2: the attacker happens to get the smart phone, and access the SMS.
Consider E1, E2 are independent
Pr[E] = Pr[E1ꓥE2] = Pr[E1]*Pr[E2]

Under some situation, we have the probability Pr[E2], which may be small or large.
Pr[E1]: The stronger the password, the smaller the probability Pr[E1]

We still need a strong password, but 2FA can improve the security level of authentication.