Reference no: EM132196617

QUESTIONS

1. This question is about the public key used in web site encryption. The key is called a "digital certificate". Web sites with encryption start with https not http.

a. Go to your favorite encrypted web site, such as a bank, or any web site which asks for a password.

Click on the padlock symbol, and it will tell you the name of the company that issued the digital certificate for the web site.
Alternatively, you could just pick a company from the list of recognized digital certificates for the Mozilla web browser

Either way, find the name of a company that issues digital certificates for web sites.

b. Go to the web site of that company that issues digital certificates. Look up their contact details, and write down the company's street address and phone number.

c. Browse the web site of the company that sells digital certificate. Find how much does it cost for a digital certificate for a year? (Use the cheapest choice, e.g., single-name certificate).

d. How does someone apply for a digital certificate from this company? Do they ask for a driver's licence? An incorporation certificate? Or do they only ask that you generate a CSR (certificate signing request), which a web server program can make using its domain name.

e. In your opinion, could a criminal obtain a digital certificate from this company?

2. A few short questions about computer security.

a. Anti-virus software is popular for Microsoft Windows. Find the typical detection rate for popular anti-virus software. Please give recent references for what you find (i.e., since 2018 began, or as new as possible)

b. Using the web, find out one recently severe distributed denial of service (DDoS) attack. Who and how did they launch the attack? What were the damages?

c. How big is the biggest botnet currently in use? What country is it likely to have come from? Please give references for what you find.

Note that the BredoLab Botnet (also known as Oficla) used to run on about thirty million computers, but it was mostly dismantled back in 2010.

3. For identity theft events,

Click on "Data Breaches", and then scroll down a little, and for the types of breaches and organizations, pick "Select All", but only for the year 2018.

a. For identity thefts in 2018, scroll down and find one that's fairly large (at least 10,000 people).

Briefly describe the date, the organization, how many people were affected, and what happened.

b. Click on the back button to return to the search page, and this time pick "Select All" for all 3 choices,

Instead of scrolling down the list, look for the button to download all the breaches as a single spreadsheet.

Just above that button is the "Records total:" that says how many people have had their personal data stolen. Is that bigger than the population of the world?

c. Download the large spreadsheet, and highlight all columns, so you can sort the lines by column F, "Total Records". What is the biggest security breach, and how many people had their personal information stolen? Briefly describe the date, the organization, how many people were affected, and what happened.

4. Some fun questions about criminal web sites.

a. Go to the web site and write down how many web sites there are in the world today.

b. Scroll down a little, and look for how many web sites have been hacked today. How many have been hacked so far today?

c. Practically every 4-letter domain name in ".com" has already been registered. Make up five different random 4-letter domain names, such as (as a random example) tiyu.com ptjh.com cjqx.com and so forth.

Use thewhois search to look up those random 4-letter domain names, and find out how many of them are registered. Many web sites link to whois for free,such as

Of your 5 random 4-letter domain names:
- How many are registered?
- From Whois, what is the name of the contact person? It should be listed as "Registrant Name"?
- Is there a phone number, email address, or physical address?

d. For one of the registered domain names (or if they're all unregistered, try zzz4.com as that's a real web site). For the web site, run a traceroute program on your computer, or go to a web site with a traceroute interface (look for one on Google). There is an online traceroute tool at www.net.princeton.edu/cgi-bin/traceroute.pl

A visual traceroute program is nice, even though it's a bit slow.

Using traceroute, can you find in which country (and, if you can figure it out, which city) is the web site physically hosted?

5. Remember how your phone's MAC address lets people track where you go?

a. For your favorite type of phone or laptop (Android / iPhone / Windows / Apple / etc.), search for a free app that lets you change your MAC address to a different MAC address. What is the name of one such app?

b. Search for a review of that program. Does the review seem positive or negative? If you were a criminal (or just interested in privacy) would this program be good enough for you to use for changing your MAC address? Why or why not?

c. Go to the Google news web site, and search for change mac address

Are there any news articles about computer network security? Pick one news story, and briefly describe what it's about.

6. There are several organizations that sell spy software, which turns your mobile phone into a spying machine. These organizations include:

Pick just one of the above, and do some reading about their spy software (for example, each kind of spy software has its own Wikipedia article).

a. Can anyone buy this software? Or do they only sell it to governments? (Usually corrupt dictatorships with poor human rights records)?

b. Has the software been sold to corrupt dictatorships, and other governments with poor records on human rights?

c. What kind of data do they steal? Is it only the Apple iPhone? Or every kind of mobile phone? Conversations in Skype? Keylogging? Stealing Bitcoin from your cryptocurrency wallet? Or what?

d. Find a recent (within the last year or so) news story, which mentions this software. Give a short summary of the news story.

7. Cost-benefit analysis!Your company's web site is sometimes broken into by hackers, with the following estimates of probabilities and costs:

- Each day there is a 0.4% chancethat a script kiddie will only deface the web site, but cause no other damage. This would cost only $10,000 in lost sales.

- Each day there is a 0.2% chance (once everythree hundred days) that an expert hacker will delete data and steal customers' credit card numbers, costing $250,000.

- Remember how hackers stole all the data from Ashley Madison and killed the company? We estimate that each day there is a 0.02% chance (once in ten thousand days) that an expert hacker will steal all the company's data, costing $1,000,000.

The big boss wants you to advise on which of these three solutions to buy:

I. We could do nothing and accept the problem.

II. A nice IBM firewall costs a huge $50,000 per year. It claims to prevent all script kiddie hackers and 95% of expert hackers.

III. A cheap Microsoft firewall costs only $8,000 per year. It claims to prevent 90% of script kiddie hackers and 50% of expert hackers.

The big boss wants you to advise which to choose. Feel free to use a spreadsheet or calculator or whatever you find the most convenient to answer these questions:

- Calculate the annualized loss expectancy (ALE) for the three kinds of hacker attacks. What is the total annual loss expectancy?
- For the three possible solutions, calculate the total annualized loss expectancy (ALE) if that solution was used?
- Calculate the cost-benefit of the three different solutions
- If the boss asks, is there a large difference between the solutions (are two solutions about the same), or is there a clear winner?
- A magazine article claims that the IBM firewall doesn't stop 95% of expert hackers, it only stops 90% of expert hackers. Would this small difference cause you to change your advice?
- The Microsoft salesperson offers to reduce the price from $8,000 per year, to completely free. Would free software change your advice?

Attachment:- Assignment.rar