Computer Security Assignment 2

Student # 20794648

The Investigation threats to the System: The case of a Widgets Inc

Virtual Image of the Server.

ABSTRACT
Nowadays, our society depends on Computer, Internet and Web
technologies than ever. Yet, with the growing complexity of hardware and
software, the vulnerabilities of the computer systems and a malicious intrusion
increases as well. News of leakage information appears day-to-day on the
Internet (INFOWATCH, 2018). These breaches may be costly to an organization –
the loss of money, reputation, products, customers, and even the complete
collapse of the company (Armerding, 2018). Thus, the demand for evaluating the
weaknesses of the system and addressing these security issues have become
critical for each organization over the world. This research seeks to examine the
multiple security weaknesses and threats of a new web-based store of Widgets
Inc. Consequently, the study offers a solution to improve the security level of the
server by conducting vulnerability testing and vulnerability assessment exploiting
Free Open Source Software (FOSS) and several useful tools. The research adopted
the Network and System Administrator's Best Practices which used in everyday
work process to investigate the breaches in the system and prevent malicious
intrusion. This paper aims to demonstrate a demand for system investigation and
a suitable methods against attackers. The components of the study included the
following instruments Oracle VM VirtualBox, Kali Linux, John-the-Ripper, Network
Mapper (Nmap) port scanning and Open Vulnerability Assessment Software
(OpenVAS).

General Terms
Free Open Source Software (FOSS), System Investigation, Vulnerability testing,
Vulnerability assessment, Malicious Detection, Virtual Machine image, Security
evaluation, Port Scanning, Fingerprinting.

1. INTRODUCTION
Currently, the information technology could be considered as one of the
primary resources for the progressive world. Indeed, the information technology
takes part almost in each aspect of a current lifetime. However, availability and
wide dissemination of information technologies make them extremely vulnerable
to harmful effect.
A threat to the security information means an action that can lead to the
destruction, distortion or unauthorized usage of IT resources (Stanley, 2010).
Presently, the importance of information protection has frequently become
recognized by the organizations (Basta, Basta and Brown, 2014). The more
information kept in the company, the more the problem of ensuring its security
among with the preventing unauthorized access to sensitive data and physical
destruction. Accordingly, the protection of digital data is one of the most
significant parts of the safe development system (Rhodes-Ousley, 2013).
This research seeks to cover all the security aspects on the server of
Widgets Inc such as the physical access, services and applications weaknesses,
and conduct a vulnerability assessment. The experiments combine the practical
techniques of detection vulnerabilities of hardware and software and provide
recommendations to mitigate weaknesses and enhance the security of the
system, according to the Network and System Administrators best practices
securing system.

2. BACKGROUND
2.1 Basic definitions in the field of information security
Weaknesses of an organization’s network is a kind of its weak points which
makes possible the damage to the system and the leakage of information. In
other words, these undesirable events occur as a consequence of defects in the
system.
An attack on a computer system is the actions used by attackers to find and
exploit a vulnerability in their favor (Brinkley and Schell, 1995).
The vulnerability testing is a process of evaluating the security weaknesses
of the IT infrastructure of a company through authorized tools and techniques
simulated malicious attacks.
The vulnerability assessment is the audit process of identifying weak points
of a computer system and security level of an organization's IT infrastructure; the
results of which indicate Confidentiality, Integrity and Availability (Metivier,
2017).

2.2 Types of System Threats

2.2.1 Threats to Workstation Security
The organization workstations typically hold sensitive data and could be
used by attackers. Thus, knowing the workstation vulnerabilities and preventing
theft of significant information can save system administrators a headache. The
weak password is one of the easiest ways to gain access to the system for
violators. Also, vulnerable client applications can be a “titbit” for attackers. For
instance, if the server transfers data using FTP and Telnet through a public
network, an attacker can capture names and passwords of users in plain text and
access to the remote workstation. Even though, sysadmins use a secure protocol
such as SSH the remote workstation could be vulnerable if client applications have
not been updated and/or default credentials have not been changed.
 2.2.2 Threats to Server Security
A server of an organization always contains essential data. If an attacker
can compromise the server, all the critical credentials may be stolen. The reason
for server compromise can be as open ports, unused and unpatched services, and
lack of relevant knowledge of the system administrator. Typical incidents among
system administrators are the installation of software without taking into account
what components will be installed. For instance, the installation of an operating
system by default may cause undesirable services such as DNS or Telnet. Also, if
the system has not kept up-to-date attackers can crack unpatched services and
use them whenever they want.
2.2.3 Threats to Network Security
A network is one of the most vulnerable aspects of the system.
Misconfiguration of the network is the main point of entry into the information
infrastructure of the organization for attackers. System administrators often do
not take into account that leaving the trust-based local network open is equal the
leaving the front door of own home open and hoping that nothing would be
stolen. Another terrible error is the use of a single centralized server. If the
attackers manage to compromise the centralized server all the data stored on it
can be damaged or stolen (Metivier, 2017).
2.3 Application Attacks
The application attacks may be conducted in several ways. Hackers can gain
access to the computer using weaknesses in the operating system or holes in
applications. The main problem of application attacks is that the attackers use
ports from which firewalls enable transmit data. The application attacks include
unauthorized access, cracking attempts of passwords, rootkit software or illegal
manipulation of data.

2.4 The Network and System Administrator's Approach

In 2001, Julia Allen of Computer Emergency Response Team (CERT)
Coordination Center introduced the literature which presents the best security
practices of network and system administrators. According to the paper, the
knowledge that most important for network administrators to secure the system
comes from the day-to-day experience and word of mouth. In this paper, several
practices have been proposed to explain how to address 70-80% of the problems
faced each system administrator. (Allen, 2001). Figure 1 illustrates the major five
steps of how the system and network administrators may secure the computer
infrastructure of an organization.
The steps of CERT security practices:
 Harden/Secure. This step related to the physical security of the computer.
The console/prompt of the system should always be secured. If one has
access to the server, he may easily gain access to the sensitive information
through the rebooting of root's password. If the hacker has gained access
 for a short time the probability of detecting a system hack is quite low.
Moreover, attackers can penetrate the system using holes in outdated
software and through the weak firewall configuration. Besides, system
administrators should focus their attention on the strength of the root and
user passwords since the attacker may crack the powerless keys of the
system using several suitable tools.
 Prepare. On the second step, the network administrators should be
prepared that exists set of vulnerabilities which yet to be identified and
install appropriate tools for detecting malicious intrusion. Also, the policies
and detection techniques of weaknesses must be determined to solve a
new collection of problems.
 Detect. The third step is the detection vulnerabilities of the system using
appropriate instruments. In this case, the system administrators simulate
the behavior of attackers to identify the risks and the system security level.
Besides on this step, the sysadmins must develop schemes of solving the
problems identified while an examination of the breaches of the network.
 Respond. On the fourth step, the system and network administrators must
analyze the results from a previous stage and damage of intrusion.
Moreover, all the types of malicious access should be eliminated or
mitigated, and the system must be returned on normal working mode.
 Improve. Improve. On the last step, the sysadmins should regularly improve
the techniques and policies related to affected parties of the system.
Besides, they must always update tools and install new tools for identifying
and mitigation intrusion.

Harden/
Prepare Detect Respond Improve
Secure

Figure 1. The high-level steps of how to secure information and mitigate malicious intrusion,
according to CERT Network and System Administrator practices

2.5 The set of tool for vulnerability testing and assessment.

This section discusses the instruments and tools exploited while conducting
the test for the vulnerability of the system and assessment of the security level of
the network.
2.5.1 Oracle VM VirtualBox
 VirtualBox is a virtual machine from Oracle Corporation; a free program
designed to use multiple operating systems (guests OSs) on a single physical
device without harming the primary operating system and data stored on a
personal computer (ORACLE, no date).

2.5.2 Kali Linux and John-the-Ripper

Kali Linux is an operating system on the Linux kernel designed for testing
vulnerabilities and auditing a security threats. Kali Linux includes many tools
focused on different tasks of information security (What is Kali Linux ? – Kali
Linux, 2018). Also, Kali Linux includes several password cracking instruments. On
of the most known is the John-the-Ripper tool with an open source code (John
the Ripper password cracker, no date).

2.5.3 Network Mapper (Nmap) Port Scanning

Nmap (Network Mapper) is a tool for security testing and network
exploration. Nmap uses IP addresses to identify the state of ports (open, closed or
filtered), accessible services (application name and version), operating systems
(and OS versions), the existence of firewalls and so on (Nmap: the Network
Mapper - Free Security Scanner, no date). Most network and system
administrators typically use Nmap to check the security of the network structure.

2.5.4 Open Vulnerability Assessment Software (OpenVAS)

OpenVAS is a vulnerability scanner with open code. It is designed for active
monitoring of network nodes to identify security-related problems, assess the
criticality of these problems and control their elimination. OpenVAS scans the
open ports, sends packets to simulate an attack, accesses the management
console, and executes commands on it (OpenVAS - OpenVAS - Open Vulnerability
Assessment System, no date).

3. CONFIGURATION TEST LABORATORY AND METHODOLOGY

This chapter describes the building of the test laboratory and methodology
used to investigate breaches in the system and conduct the vulnerability
assessment. The primary purpose of the research is how the network and the
system administrators may use security tools and techniques against malicious
intrusion into the network computer systems.

3.1 Building the Test Laboratory with Oracle VM VirtualBox on Mac OS X

The MacBook laptop was used while performing the research. All the major
component of software was updated before experimenting. Table 1 presents the
detailed characteristics of the computer environment.

Software macOS Mojave 10.14.1

 Processor 1,6 GHz Intel Core i5
Memory 4 GB 1600 MHz DDR3
Storage 15,85 GB available
Table 1. Description resources of the computer for Test

The research has been conducted using VM VirtualBox. VM VirtualBox from

Oracle company allows installing different OSs on separate virtual machines on
the same physical machine. The Oracle VM VirtualBox installation was started by
the running the installation utility. At the end of the installation, the main working
window of the program was opened. On the next step, two separate virtual
machines were created on the laptop using VM VirtualBox. In figure 2, the
vulnerability testing laboratory environment is shown. One virtual machine was
used as Target Host Server through this testing – VM Image of Widgets Inc.
Another one was used as System Administrator's Vulnerabilities Work Station –
Kali Linux Server. Brief information about Kali Linux is given in section 2.5.2. Wired
and wireless connections have been set up for each of VMs. In this mode, VMs
are able to connect with the outside world and vice versa:

Figure 2. Set up a wired connection

By running VMs, it is impossible to use the wireless card that is in the

physical machine thus external USB-based wireless cards have been used during
the investigation of the system. Also, OpenVAS (section 2.5.3) was installed in Kali
Linux Virtual Machine (VM) for evaluating well-known system vulnerabilities while
performing the testing.
 Target Machine

System and VM Image of Widgets

Network Inc
Administrators

Kali Linux

Figure 3. Vulnerability Testing Laboratory Environment

3.1 A proposed the Network and System Administrator's Methods of Approach

In the background chapter, according to CERT Network and System
Administrator practices, the high-level steps of how to secure information and
mitigate malicious intrusion were represented. This approach was used to reduce
the amount of "holes" in the system, minimize the malevolent interference and
escalate the security level of an organization network. The same steps, tools and
methods have been duplicated in the current research. Figure 3 depicts the steps
which adopted by sysadmins routinely use in working processes and have been
applied during this test.

Harden/
Prepare Detect Respond Improve
Secure

Figure 4. A proposed the Network and System Administrator's Methods of Approach

 4. THE INVESTIGATION OF WIDGETS INC SERVER: HARDEN/SECURE, PREPARE
AND DETECT STEPS
Different techniques and tools have been used in different steps of the
investigation system. The brief description of each of the tools used during the
tests locates in section 2.5. Also, all the detailed explanation of the steps resides
in section 2.4. It is significant to understand before the vulnerability testing and
auditing of the system threats, the permission from an organization has to be
received. In this case, Widgets Inc has given all the right to conduct the testing of
the server.
4.1 The Harden/Secure Step
This step related to the physical layout of the system. Most of the operating
systems use backdoor entry exploiting prompt. Indeed, this is an essential
characteristic if a network administrator forgot or lost the key from the system.
However, if an unauthorized user has access to the system console, he/she can
easily reset the root password and break into the system. Widgets Ins uses the
Ubuntu 12.04 OS. Ubuntu OS based on the Debian GNU/Linux. It is easy to reset
the root password using a brief guide (How to reset lost root password on Ubuntu
16.04 Xenial Xerus Linux - LinuxConfig.org, no date):
- reboot Ubuntu 12.04;
- keep holding Shift to start GNU GRUB;
- chose the first instruction and hold e;
- locate the line starting with “linux”, include rw init=/bin/bash and press
Ctrl+X:

Figure 5. GRUB Menu of Ubuntu 12.04

- reset a root password typing passwd in line starting with “root” (in this
case, the password – password was set for the root user);
 - reboot the system.
All data stored on the server is at an attacker’s full disposal as soon as
he/she is logged on the system as the root user. On the next step, the password
from the Widgets Inc has been identified. Most of the UNIX-based Oss keep the
encrypted login passwords and login names in a file /etc/passwsd. When an
attacker has access to the server he/she can read the file and obtain login names.
The information from /etc/passwsd was obtained using command less

/etc/passwd:

Figure 6. The information from file /etc/passwd

Another file /etc/shadow also contains encrypted information of users and

password, but it could be read by the root access. If a hacker is able to login to the
system such as the root user the all the passwords can be read using command
less /etc/shadow:

Figure 7. The information from file /etc/shadow

 On the next step, the password and username were evaluated exploiting
the well-known password’s cracker program Jon-the-Ripper:

Figure 8. Cracked password of a Widgets Inc server

The cracking of this password has taken from John-the-Ripper about 14.5
seconds. This vulnerability is a critical weak point since a hacker can illegally
access the system anytime and compromise sensitive data. Moreover, the version
of the operating system has been identified using the command cat /etc/os-
release:

Figure 9. Identification OS of server

The Ubuntu 12.04 has several vulnerabilities such as CVE-2016-0794 (Denial

Of Service Overflow Memory), CVE-2014-0474 (MySQL typecasting) and many
others which were addressed in updated versions (Canonical Ubuntu Linux
version 12.04 : Security vulnerabilities, no date). It is important to regularly update
the operating system and patches since they contain significant components
against many exploits.

4.2 The Prepare Step

On this steps, the simulation testing laboratory was established. Kali Linux
was used or identification vulnerabilities and simulation of attacks to assess the
security level of the server. A detailed explanation of building of a test laboratory
given in section 3.1.
4.3 Detect
 On this step, the weak testing and the vulnerability assessment have been
performed. A series of experiments were carried out for several days. The VM had
a DHCP (Dynamic Host Configuration Protocol) IP address consequently this IP
address was not the same from test to test (command nslookup gives the DNS
(Domain Name System) information of a PC or a network on the Internet):

Figure 10. Determining IP addresses of target machine with nslookup

Throughout the research was carried out the imitation malicious intrusion
in order to estimate how attackers may use weaknesses and break into the
system. In this stage, the port scanning along with services printing, and the
availability of a firewall were identified using nmap with different flags. The
purpose of network scanning is determining opened, closed, filtered, unfiltered
ports and providing the detailed information of services running on the target
machine. Scans were used with switches -sS (SYN Stealth Scan) and -A (Aggressive
Scan). The SYN scan based on the response differentiates which ports were
listened or not, and identifies the existence of firewalls. An aggressive option
determines the version detection and other advanced features. The command
nmap -sS 192.168.10.21 -A was executed and outcomes were displayed in figure
11.1 and 11.2.
Figure 11.1. Results from Nmap port scanning
The standard SSH port 22 was opened and the fingerprints of host keys
were found. Host keys are cryptographic keys used for authentication computer
in the SSH protocol. The private keys should be accessible only to a system
administrator. However, if attackers gain a root access to the server, they may
obtain private host keys and perform for instance a DoS (Denial of Service) attack,
steal sensitive data, or access to files /etc/passwd and /etc/shadow and crack all
the network. The instructions of how cracked the password placed in paragraph
4.1. It is vital to keep the root password in reliable hands and regularly change
host keys (SSH Host Key - What, Why, How | SSH.COM, 2017). Also, the standard
HTTP port 80 was opened. The ports 3306 (mySQL database) and 8080 (HTTP) was
opened.
Figure 11.2. Results from Nmap port scanning

In the next stage, the ACK scan was performed to identify the existence of
firewalls. Figure 12 display results of the executed command nmap -sA
192.168.10.1. All 1000 scanned ports were unfiltered which means no perimeter
devices and firewalls were used to filter the data in the target machine.

Figure 12. The results of the ACK scan

Finally, the vulnerability assessment was conducted using OpenVAS. The

results of the test are depicted in figure 13. The overall outcomes have displayed
that the server of Widgets Inc is a high-level vulnerable.
Figure 13. Results of OpenVAS

Also, the detailed report of particular defects in the system was given.
Figure 14 models the full descriptions of vulnerabilities.

Figure 14. Detailed report from OpenVas

The operating system and the database proved to be the weakest link in
the system, a little less the severity of the risks related to the files located by

default on the servlet, sensitive data transmitted via HTTP and also the risks
associated with a simple algorithm.
 5. THE RECOMMENDATIONS: RESPOND AND IMPROVE STEPS
5.1 Respond Step
On this step, the recommendation of how to mitigate the severity of
weaknesses and increase the security level of the server. Firstly, the main server
and the console of the system should be physically protected. The password from
a superuser account must be kept in reliable hands. Otherwise, attackers can
access the unsecured system, reset the root password and break into the system.
Also, it was mentioned above Ubuntu 12.04 has several vulnerabilities
which were addressed in updated realizes. It is crucial to update the current OS to
Ubuntu 18.04 (Cawley, 2018). During the installation of OS, the services and
packages should be minimized and only essential components should be installed.
As it was revealed earlier, firewall was not identified. The firewalls should be set
to protect transmitted data via Network.
Moreover, the password of the root account and other user passwords
must be secure and no set by default. The strong password should contain lower
and upper characters along with symbols such as ", @, !, #, ^ etc. The credentials
stored in plaintext were found in the host applications. These files should be
removed, oppositely attackers may access to sensitive data. Also, it is possible to
login in the MySQL database as a root with no password. It is significant to set the
secure password as soon as possible.

5.2 Improve Step

On the last step, the policy of support to keep the security level of the system at a
high level:
 strict control access to console;
 frequently change the superuser password;
 install the firewall system;
 regularly monitor software updates and refresh the operating system;
 repeatedly observe the network for open ports and services and take
appropriate actions;
 conducts training policies among users to maintain the appropriate level of
security.

6. CONCLUSION
As the computer's IT infrastructure and the usage of Internet technologies
become complexity day-to-day, the maintaining the security level of systems
become challenging as well. Thus, the demand for the investigation threats to
systems and them mitigation and address are increased. Based on the results, it
can be concluded that research into a simulation environment of Widgets Inc has
been significant. Hence, while this research the security threats of Widgets Inc
server were investigated and proposed recommendations for reducing the
likelihood of malicious intrusion using FOOS tools, according to the best system
administration practices.
The proposed method can be readily used in practice. Therefore, it should
be considered of the benefits of this simulation test of Widgets Inc network by
developers while developing new products and by system and network
administrators during conducting the system investigation.

7. REFFERENCES

 Allen, J. (2001) ‘CERT, System and Network Security Practices’, Carnegie

Mellon University. Software Engineering Institute. CERT Coordination
Center, p. 11. Available at: http://www.cert.org.
 Armerding, T. (2018) The 17 biggest data breaches of the 21st century |
CSO Online. Available at:
https://www.csoonline.com/article/2130877/data-breach/the-biggest-
data-breaches-of-the-21st-century.html (Accessed: 21 November 2018).
 Basta, A., Basta, N. and Brown, M. (2014) Computer Security and
Penetration Testing. Australia: Cengage Learning.
 Brinkley, D. and Schell, R. (1995) ‘Concepts and terminology for computer
security’, Information security, pp. 40–98. Available at:
http://web2.utc.edu/~Li-Yang/cpsc4670/02.pdf.
 Canonical Ubuntu Linux version 12.04 : Security vulnerabilities (no date).
Available at: https://www.cvedetails.com/vulnerability-list.php?
vendor_id=4781&product_id=20550&version_id=127611&page=1&hasexp
=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&o
pdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvsssco
remin=7&cvssscor (Accessed: 28 November 2018).
 Cawley, C. (2018) 7 Reasons to Upgrade to Ubuntu 18.04 LTS. Available at:
https://www.makeuseof.com/tag/reasons-upgrade-ubuntu/ (Accessed: 30
November 2018).
 How to reset lost root password on Ubuntu 16.04 Xenial Xerus Linux -
LinuxConfig.org (no date). Available at: https://linuxconfig.org/how-to-
reset-lost-root-password-on-ubuntu-16-04-xenial-xerus-linux (Accessed: 28
November 2018).
 INFOWATCH (2018) Data Leakage News | InfoWatch. Available at:
https://infowatch.com/analytics/leaks_monitoring# (Accessed: 21
November 2018).
 John the Ripper password cracker (no date). Available at:
https://www.openwall.com/john/ (Accessed: 1 December 2018).
 Metivier, B. (2017) Fundamental Objectives of Information Security: The CIA
Triad. Available at: https://www.sagedatasecurity.com/blog/fundamental-
objectives-of-information-security-the-cia-triad (Accessed: 27 November
 2018).
 Nmap: the Network Mapper - Free Security Scanner (no date) nmap.org.
Available at: https://nmap.org/ (Accessed: 25 November 2018).
 OpenVAS - OpenVAS - Open Vulnerability Assessment System (no date).
Available at: http://www.openvas.org/ (Accessed: 25 November 2018).
 ORACLE (no date) Oracle VM VirtualBox. Available at:
https://www.virtualbox.org/ (Accessed: 25 November 2018).
 Rhodes-Ousley, M. (2013) The Complete Reference. Information Security,
McGraw-Hill Education.
 SSH Host Key - What, Why, How | SSH.COM (2017). Available at:
https://www.ssh.com/ssh/host-key (Accessed: 30 November 2018).
 Stanley, R. (2010) ‘Information security’, in Cybercrimes: A Multidisciplinary
Analysis. doi: 10.1007/978-3-642-13547-7_5.
 What is Kali Linux ? – Kali Linux (2018) Offensive Security. Available at:
https://docs.kali.org/introduction/what-is-kali-linux (Accessed: 25
November 2018).