YUSIF SULEIMAN

[2308-0703-0223]

INTERNATIONAL ADVANCE DIPLOMA IN NETWORK &COMPUTER SECURITY SYSTEM INTRUSION & COMPUTER FORENSIC CSM203 ASSIGNMENT TERM 3 2012 Student declaration: I declare that: I understand what is meant by plagiarism The implication of plagiarism has been explained to me by my institution This assignment is all my own work and I have acknowledged any use of the published and unpublished works of other people. Students signature:. Total number of pages including this cover page 29/10/2012 Submission Date Due Date 2308-0703-0223 Students ID Class Code Students Full Name YUSIF SULEIMAN MR. BASHIR Lecturers Name OFFICIAL USE ONLY Markers comments Date: 29\10\2012

13/11/2012 GROUP 1

Markers name

Initial mark awarded Penalty on late submission Penalty for plagiarism Final mark awarded

/100

/100

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 1

YUSIF SULEIMAN

[2308-0703-0223]

Table of Contents
CONTENT PAGES Cover ..1 Table of Contents........2 List of Figures..3 List of Tables...3 1.0 Introduction.......5 1.1 Description of Vulnerabilities........5 What is Vulnerability...5 The Web Application Security Gap....5 How it Affect the System....6 Top Web Application Vulnerabilities & Security Threats..7 1.2 Proof of Concept8 1.2.1 SQL Injection8 1.2.2 Counter Measures for SQL Injection...12 1.3.1 CSRF....13 1.3.2 Counter Measures for CSRF....19 1.4.1 Denial of Service..20 Modes of Attacks....20 1.4.2 Counter Measures for DOS..25

2.1 Windows versus Linux27 2.2 Firefox versus Internet Explorer .....29 2.3 Conclusion ...30 3.1 Three Tools/Methods ..31 3.2 Description of Each Conversion ....32 3.3 Assumption and Potential Errors ...35 3.4 Deciphered Text.36 4.1 References...37

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 2

YUSIF SULEIMAN
List of Figures

[2308-0703-0223]

1. Figure 1.2.1: SQL command to generate a specific error message .8 2. Figure 1.2.2: Beginning Web Scan...8 3. Figure 1.2.3: Entering Web Address....9 4. Figure 1.2.4: Beginning Testing....9 5. Figure 1.2.5: Vulnerabilities Shown....10 6. Figure 1.2.6: Final Report....10 7. Figure 1.3.1: CSRF......13 8. Figure 1.3.2: Entering Apple web address...14 9. Figure 1.3.3: Finding Target.....14 10. Figure 1.3.4: Login Web Scan..15 11. Figure 1.3.5: Completing Login Web...15 12. Figure 1.3.6: Beginning Web Scan...16 13. Figure 1.3.7: Element of Vulnerabilities..16 14. Figure 1.3.8: Vulnerabilities Shown....17 15. Figure 1.3.9: Vulnerabilities Shown as CSRF....17 16. Figure 1.3.10 Final Report for CSRF....18 17. Figure 1.4.1: DOS Starting Point.....20 18. Figure 1.4.2: Entering MTN web address...20 19. Figure 1.4.3: Finding Target.....21 20. Figure 1.4.4: Login Web Scan..21 21. Figure 1.4.5: Scan Began.....22 22. Figure 1.4.6: Vulnerabilities Shown....22 23. Figure 1.3.8: Definition of DOS......23 24. Figure 1.4.8: Final Report for DOS Vulnerability...23 List of Table 1. Table 2.1.1: 2. Table 3.3.1: 3. Table 3.3.1: Comparison of Linux vs Windows..26 Decimal to Binary.35 Decimal to Hexadecimal...35

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 3

YUSIF SULEIMAN Question 1

[2308-0703-0223]

Identify three (3) possible web (or cloud computing based) application vulnerabilities. Write a report with the following headings: Description of vulnerabilities Proof of Concept Possible Counter Measures

Answer

1.0
1.1

INTRODUCTION
DESCRIPTION OF VULNERABILITIES

What is Vulnerability? Vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. A threat is a potential attack that, by exploiting vulnerability may harm the assets owned by an application (resources of value, such as the data in a database or in the file system). A test is an action that tends to show vulnerability in the application. Web application vulnerability also refers to Weakness in Custom Web Application, Architecture, Design, Configuration, or Code.

The Web Application Security Gap (How Does It?) There is a lack of awareness of application vulnerabilities in security departments. Security Departments scrutinize the desktop, the network, and even the web servers, but the web application escapes their measures. Even in departments that want to audit for web application vulnerabilities, the lack of effective tools has made it impractical As a result, Certification and Accreditation programs rarely examine the web application
Page 4

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

YUSIF SULEIMAN
-

[2308-0703-0223]

In fact, the entire development cycle is usually missing from security procedures and controls

This illustrates the fundamental gap between security and development, which creates these web application vulnerabilities

Many traditional information security practitioners are ill-equipped to mitigate application security issues Little to no experience coding No experience coding in modern enterprise environments like .NET and J2EE Understand that there are risks, but not in a position to address them or no resources to manage the issues

How it Affect the System Web Application vulnerabilities occur in different areas: Platform, Administration and Application. -The web server itself is subject to a variety of known vulnerabilities, all of which must be readily patched for. The actual administration and management of the server and contents is very important A misconfigured server or poorly managed content can permit system file and source code disclosure The application itself is of the utmost importance. It too can inadvertently reveal source code and system files, and even allow full system access. It can mistakenly allow replay attacks against your customers. It could allow a hacker to impersonate your customers. In addition it is the web application that interacts with the database to manage and tracks customer information and store business and transaction information . One slip-up in the web application can expose the entire system and database, right through a web browser, right over port 80.

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 5

YUSIF SULEIMAN
Top Web Application Vulnerabilities and Security Threats 1. Unvalidated input 2. Broken access control 3. Broken authentication and Access Control 4. Cross-site scripting (XSS) Flaws 5. Buffer overflows 6. Injection flaws 7. Improper error handling 8. Insecure storage 9. Application denial-of-service 10. Insecure configuration management 11. SQL injection 12. Parameter tampering 13. Cookie poisoning 14. Buffer overflow 15. Malicious File Execution 16. Insecure Direct Object Reference 17. Cross Site Request Forgery (CSRF) 18. Information Leakage 19.Session Management 20. Insecure Cryptographic Storage 21. Insecure Communications 22. Failure to Restrict URL Access 23. Database Server

[2308-0703-0223]

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 6

YUSIF SULEIMAN

[2308-0703-0223]

1.2

PROOF OF CONCEPT

I choose to check the following web vulnerabilities for my project SQL Injection using www.facebook.com Cross Site Request Forgery (CSRF) www.apple.com Denial of Services (DOS) www.mtnonline.com

1.2.1 SQL Injection SQL injection is a very old approach but it's still popular among attackers. This technique allows an attacker to retrieve crucial information from a Web server's database. Depending on the application's security measures, the impact of this attack can vary from basic information disclosure to remote code execution and total system compromise. It has been rated from Moderate to Highly Critical Previously vulnerable products: PHPNuke, MyBB, Mambo CMS, ZenCart, osCommerce This attack applies to any database, but from an attacker's perspective there are a few "favorites." MS SQL has the feature of an extended stored procedure call, which allows any system level command to be executed via the MS SQL server such as adding a user. Also, the error messages displayed by the MS SQL server reveals more information than a comparable MySQL server. While MS SQL server is not especially prone to a SQL injection attacks, there are security measures which should be implemented to make it secure and not allow the SQL server to give out critical system information. Here is an example of vulnerable code in which the user-supplied input is directly used in a SQL query: <form action="sql.php" method="POST" /> <p>Name: <input type="text" name="name" /><br /> <input type="submit" value="Add Comment" /></p> </form> <?php $query = "SELECT * FROM users WHERE username = '{$_POST['username']}"; $result = mysql_query($query); ?> The script will work normally when the username doesn't contain any malicious characters. In other words, when submitting a non-malicious username (steve) the query becomes:

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 7

YUSIF SULEIMAN
$query = "SELECT * FROM users WHERE username = 'steve'";

[2308-0703-0223]

However, a malicious SQL injection query will result in the following attempt:

$query = "SELECT * FROM users WHERE username = '' or '1=1'"; As the "or" condition is always true, the mysql_query function returns records from the database. A similar example, using AND and a SQL command to generate a specific error message, is shown in the URL below in Figure 1.2.1

Figure 1.2.1 Base on the following Figures we will understand the SQL Injection testing on Facebook web server using WebCruiser web application vulnerability scanner.

Figure 1.2.2 shows the beginning of how we launch the scanner

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 8

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.2.3entering the web address to be tested

Figure 1.2.4 beginning of the testing

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS Page 9

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.2.5 Vulnerabilities shown

Figure 1.2.6 final report: the webcruiser trial version scanner is limited to generate the final results.
CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS Page 10

YUSIF SULEIMAN

[2308-0703-0223]

It is obvious that the error messages help an attacker to get a hold of the information which they are looking for (such as the database name, table name, usernames, password hashes etc). Thus displaying customized error messages may be a good workaround for this problem, however, there is another attack technique known as Blind SQL Injection where the attacker is still able to perform a SQL injection even when the application does not reveal any database server error message containing useful information for the attacker.

1.2.2 COUNTER MEASURES FOR SQL INJECTION 1. Avoid connecting to the database as a superuser or as the database owner. Always use customized database users with the bare minimum required privileges required to perform the assigned task. 2. If the PHP magic_quotes_gpc function is on, then all the POST, GET, COOKIE data is escaped automatically. 3. PHP has two functions for MySQL that sanitize user input: addslashes (an older approach) and mysql_real_escape_string (the recommended method). This function comes from PHP >= 4.3.0, so you should check first if this function exists and that you're running the latest version of PHP 4 or 5. MySQL_real_escape_string prepends backslashes to the following characters: \x00, \n, \r, \, ', "and \x1a.

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 11

YUSIF SULEIMAN

[2308-0703-0223]

1.3.1 CROSS SITE REQUEST FORGERY A CSRF attack forces a logged-on victims browser to send a pre-authenticated request to a vulnerable web application, which then forces the victims browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's email address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. Applications are vulnerable if any of following: Does not re-verify authorization of action Default login/password will authorize action Action will be authorized based only on credentials which are automatically submitted by the browser such as session cookie, Kerberos token, basic authentication, or SSL certificate etc.

Eliminate any Cross Site Scripting vulnerabilities Not all CSRF attacks require XSS However XSS is a major channel for delivery of CSRF attacks

Generate unique random tokens for each form or URL, which are not automatically transmitted by the browser. Do not allow GET requests for sensitive actions. For sensitive actions, re-authenticate or digitally sign the transaction. In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website. Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting
CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS Page 12

YUSIF SULEIMAN

[2308-0703-0223]

attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already. CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation. The following sequence of figures describes how I tested the CSRF Vulnerability on Apple store web site.

Figure 1.3.1

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 13

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.3.2 shows entering the apple web address Figure 1.3.3 finding the target web

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 14

YUSIF SULEIMAN
Figure 1.3.4 login the web site

[2308-0703-0223]

Figure 1.3.5 complete login web site for vulnerability scan

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 15

YUSIF SULEIMAN
Figure 1.3.6 scanning web began

[2308-0703-0223]

Figure 1.3.7 elements of vulnerabilities shows

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 16

YUSIF SULEIMAN
Figure 1.3.8 many vulnerabilities element

[2308-0703-0223]

Figure 1.3.9 vulnerability definition as CSRF

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 17

YUSIF SULEIMAN
Figure 1.3.10 Final Report results

[2308-0703-0223]

1.3.2 COUNTER MEASURES FOR CSRF Countermeasures for CSRF: Client/User Logoff immediately after using a web application Do not allow your browser TO SAVE Username/passwords, and do not allow sites to remember your login Do not use the same browser to access sensitive applications and to surf freely the Internet; if you have to do both things at the same machine, do them with separate browsers. Integrate HTML-enabled mail/browser, newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack Countermeasures for CSRF: Developer Add session-related information to the URL Use POST instead of GET Automatic logout mechanisms Rely on referrer headers

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 18

YUSIF SULEIMAN
1.4.1 DENIAL OF SERVICE

[2308-0703-0223]

Denial-of-service attack (DOS) is a type of attack on a network that is designed to bring the network resource to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers. Another typically used DoS is to send packets with the SYN flag to a server, initiating a session, but not sending a packet with the ACK flag, thereby leaving the server in an unresponsive state as it waits for responses. Primary goal of the attack is to deny the victim(s) access to a particular resource. Including information that may help you respond to such an attack. A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include attempts to "flood" a network, thereby preventing legitimate network traffic attempts to disrupt connections between two machines, thereby preventing access to a service o attempts to prevent a particular individual from accessing a service o attempts to disrupt service to a specific system or person
o o

Not all service outages, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial of service as a component, but the denial of service may be part of a larger attack. Illegitimate use of resources may also result in denial of service. For example, an intruder may use your anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic Modes of Attack Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:
o o o

Consumption of scarce, limited, or non-renewable resources Destruction or alteration of configuration information Physical destruction or alteration of network components

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 19

YUSIF SULEIMAN
Figure 1.4.1 shows the starting point

[2308-0703-0223]

Figure 1.4.2 entering the web site to be tested

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 20

YUSIF SULEIMAN
Figure 1.4.3 target checking

[2308-0703-0223]

Figure 1.4.4 complete login web site for vulnerability scan

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 21

YUSIF SULEIMAN
Figure 1.4.5 beginning of scan

[2308-0703-0223]

Figure 1.4.6 vulnerabilities shown

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 22

YUSIF SULEIMAN
Figure 1.4.7 definition of DOS find on the MTN web site

[2308-0703-0223]

Figure 1.4.8 Final vulnerability result report for www.mtnonline.com

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 23

YUSIF SULEIMAN

[2308-0703-0223]

1.4.2 COUNTER MEASURES FOR DOS Defending against Denial of Service attacks typically involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. A list of prevention and response tools is provided below:

Firewalls
Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for many firewalls, e.g. if there is an attack on port 80 (web service), packet filter firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls may be too deep in the network hierarchy. Routers may be affected before the traffic gets to the firewall. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.

Switches
Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing. These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.

Routers
Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevent flooding.

Application front end hardware

Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches.
CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS Page 24

YUSIF SULEIMAN

[2308-0703-0223]

Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management.

IPS based prevention

Intrusion-Prevention Systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks. An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.

DDS based defense

More focused on the problem than IPS, a DoS Defense System (DDS) is able to block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods). Like IPS, a purpose-built system, such as the well-known Top Layer IPS products, can detect and block denial of service attacks at much nearer line speed than a software based system.

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 25

YUSIF SULEIMAN

[2308-0703-0223]

Question 2
Go to google.com and search for articles on Windows versus Linux security. Which OS and Browser is more safe? Five (5) Comparison of Window versus Linux Five (5) Comparison of Internet Explorer versus Firefox

Answer
2.1 WINDOWS VS LINUX Both Windows and Linux are Operating systems with their own advantages and differ in functionalities and user friendliness. Users who are considering making a change from Windows to Linux or Linux to Windows commonly want to know the advantages and disadvantages of each of the operating systems. Table 2.1.1 shows the major comparison of those operating systems

S/N Comparison Topic

1. Security

Linux
There has been a lot of talk lately about malware on Macs and it's true. Macs are vulnerable to security breeches. Linux is and has always been a very secure operating system. Although it still can be attacked when compared to Windows, it much more secure. for every single Mac virus or worm, there have been thousands of Windows attackers. And, that while Linux can be attacked as well, in practice, it' more secure than either Mac OS X or Windows and there has never been a significant Linux desktop security worm

Windows
Although Microsoft has made great improvements over the years with security on their operating system, their operating system continues to be the most vulnerable to viruses and other attacks. According to Dr. Nic Peeling and Dr Julian Satchell's Analysis of the Impact of Open Source Software there have been more than 60,000 viruses in Windows

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 26

YUSIF SULEIMAN
2. Although the majority Linux variants have improved dramatically in ease of use, Windows is still much easier to use for new computer users. Another plus for Ubuntu is, say you really can't stand Unity. No problem, you can switch to GNOME 3.x, Cinnamon, KDE, whatever. With Ubuntu while they want you to use Unity, you can choose to use another Linux desktop interface. With Windows 8, you're stuck with half-Metro and half-desktop The majority of Linux variants Reliability and versions are notoriously reliable and can often run for months and years without needing to be rebooted. In case of Linux, threat detection Threat detection and and solution is very fast, as Linux is mainly community driven and solution whenever any Linux user posts any kind of threat, several developers start working on it from different parts of the world Linux companies and hardware Hardware manufacturers have made great and file advancements in hardware system support for Linux and today Linux will support most hardware devices. However, many companies still do not offer drivers or support for their hardware in Linux. while it support Ext2, Ext3, Ext4, Jfs, ReiserFS, Xfs, Btrfs, FAT, FAT32, NTFS Ease of use

[2308-0703-0223] Microsoft has made several advancements and changes that have made it a much easier to use operating system, and although arguably it may not be the easiest operating system, it is still Easier than Linux

3.

4.

5.

Although Microsoft Windows has made great improvements in reliability over the last few versions of Windows, it still cannot match the reliability of Linux After detecting a major threat in Windows OS, Microsoft generally releases a patch that can fix the problem and it can take more than 2/3 months. Sometimes sooner, Microsoft releases patches and updates weekly Because of the amount of Microsoft Windows users and the broader driver support, Windows has a much larger support for hardware devices and a good majority of hardware manufacturers will support their products in Microsoft Windows and FAT, FAT32, NTFS, exFAT

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 27

YUSIF SULEIMAN
2.2 FIREFOX VS IE

[2308-0703-0223]

When it comes to web browsers, your choice of browsers depends on which operating system your computer runs: Linux, Windows or Mac. Microsofts Internet Explorer has enjoyed many years of near dominance. In fact, the current statistics report that nearly three-quarters of web surfers use Internet Explorer. But things are rapidly changing. Although Internet Explorer still remains the most popular browser, usage has steadily decreased since 2002, when 95% of internet users used the browser. So what is the reason for the steady decline in usage? Mozilla Firefox. In only a few years, Firefox has become the second most popular browser, used by almost 1 in 5 web surfers. In this assignment, I figure how Internet Explorer has maintained such great popularity among web surfers, as well as the advantages and disadvantages of using Firefox as an alternative browser.

i.

Security

Both Firefox and Explorer offer roughly equal protection against security concerns like viruses, trojans and the ability of an outside party to hack into your computer. Both browsers also offer protection against phishing. Unlike Internet Explorer, Firefox developers regularly address vulnerabilities and release patches when necessary and have a slight edge over Explorer is in its history of responding to newly realized system insecurities in a more timely manner.

ii.

Crashing

Internet Explorer's legacy will always contain at least one mention of the fact that it is notorious for crashes. All Internet browsers are subject to crashing; that is simply the nature of working with such a sophisticated entity as the multiple machines that actually make up the the Internet experience. Firefox is the preferred browser of many people precisely because, when it does crash, it allows a user to restore his browsing session to the exact point before the crash occurred.

iii.

Installation

When it comes to installation, many experts agree that Firefox has a definite advantage over Internet Explorer. The most obvious reason is size: Firefox is smaller, more efficient and takes up less space on the hard drive. In a world where a 300 GB hard drive is almost the norm, however, this may not be such a big deal. The installation process is much easier for Firefox than for Explorer, however, and a reboot takes far longer for Explorer than Firefox.

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 28

YUSIF SULEIMAN

[2308-0703-0223]

iv. Internet Searching

Both Internet Explorer and Mozilla Firefox have advantages and disadvantages when it comes to the single most important aspect of working with the World Wide Web: All that abundance of information out there means nothing if you can't get to it. The advantage for Internet Explorer is that the average number of hits returned for any search on any search engine tends to be bigger. Firefox has one advantage that many users consider its greatest benefit, however: Firefox allows you to add search engines to the toolbar that afford a narrower search of specific types of websites, or even specific websites like IMDB or Wikipedia. v. OS Integration, Roaming and Central Management

This basically means that the administrators dont have much further work after Windows is installed. If you have hundreds or even thousands computers to manage, this is already a very big advantage of the IE. You need some good arguments for deploying an extra browser, if there is already one installed on your machines. Some nice plugins are certainly not enough. One often-mentioned argument is security. Firefox, like IE, does store its user-settings, bookmarks, etc., in the user profile, which means that one can now work with roaming profiles. Thus, users can logon on different machines in the network and will always find their own bookmarks. This is a major improvement compared to the rivals of IE. Probably the most significant advantage of IE is that you can centrally manage it using Group Policies. You always want to configure all applications as homogenous as possible in a big network. Sometimes it is necessary to change the settings of all web browsers in your company. For example you might want to change the start page of all browsers or enable/disable certain functions or add new bookmarks, etc.

2.3

Conclusion
The advantages of the IE are mainly founded in its tight integration with Windows. Firefox has to run on other operating systems, too. Hence, all features should work on all systems not only on Windows boxes. Thats why we dont expecting too many improvements in this field in the near future. Although projects like Firefox ADM show that better integration is doable and that some Open Source programmers recognized this problem. Firefox cant be recommended for corporate use in larger networks. There are exceptions of course: If all your desktops use Linux or Mac OS. But if you have Windows desktops, the only reason it could think of is that you really need a certain feature of Firefox which you is not available in IE.

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 29

YUSIF SULEIMAN Question 3

You came across a file containing the following:

[2308-0703-0223]

546865204F7065726174696E672053797374656D20284F5329DA3D3D3D3D3D3D3D3D3D3 D3D3D3D3D3D3D3D3D3D3D3D3D3D3D3DDADA546865206F7065726174696E672073797 374656D206973206120736574206F662070726F6772616D73207468617420706572666F726D2 06365727461696E2062617369632066756E6374696F6E73207769746820612073706563696669 632074797065206F662068617264776172652EDADA5468652066756E6374696F6E73206F662 0746865206F7065726174696E672073797374656D206172653ADA2D205374617274696E6720 74686520636F6D7075746572DA2D204D616E6167696E672070726F6772616D73DA2D204D 616E6167696E67206D656D6F7279DA2D2048616E646C696E67206D65737361676573206672 6F6D20696E70757420616E64206F75747075742064657669636573DA2D20456E61626C696E 67207573657220696E746572616374696F6E20776974682074686520636F6D7075746572DA You suspect the data is hidden in hex format. Describe in detail the steps you would have taken to decipher it as well as the final result. Your answer should include: Three (3) Tools/approach/method used Description of each approach taken Any assumption or potential error Deciphered text

Answer
3.1 THREE (3) TOOLS/METHODS TAKEN

In computer programming, computers only understand a binary numbering system based on 2s. Currently, many programmers use a hexadecimal system, which is based on units of 16. Although there are many online tools to help with conversions, an understanding of manual ASCII to binary to hexadecimal conversions is helpful. A hexadecimal representation of a string is a series of hex values, each of which represents a character. The goal is to convert each hex value to a character, and then concatenate the characters to make a string. The following are different methods of conversion: vi. Hexidecimal to ASCII online software converting tools vii. Hexadecimal to Decimal online software converting tools viii. Hexadecimal to Binary online software converting tools

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 30

YUSIF SULEIMAN
3.2 DESCRIPTION OF EACH CONVERSIONS APPROACH

[2308-0703-0223]

i.

To convert Hexadecimal to ASCII enter a Hex value in the box below and hit "Convert". You will get the ASCII string representation of the hex value.

The out-put is shows below:

The Operating System (OS)?=========================??The operating system is a set of programs that perform certain basic functions with a specific type of hardware.??The functions of the operating system are:?- Starting the computer?Managing programs?- Managing memory?- Handling messages from input and output devices?- Enabling user interaction with the computer?

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 31

YUSIF SULEIMAN
ii.

[2308-0703-0223]

To convert Hexadecimal to Binary enter a Hex value in the box below and hit "Convert". You will get the binary representation of the hex value as shown below.

The out-put is shows below: 01010100 01101000 01100101 00100000 01001111 01110000 01100101 01110010 01100001 01110100 01101001 01101110 01100111 00100000 01010011 01111001 01110011 01110100 01100101 01101101 00100000 00101000 01001111 01010011 00101001 11011010 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 00111101 11011010 11011010 01010100 01101000 01100101 00100000 01101111 01110000 01100101 01110010 01100001 01110100 01101001 01101110 01100111 00100000 01110011 01111001 01110011 01110100 01100101 01101101 00100000 01101001 01110011 00100000 01100001 00100000 01110011 01100101 01110100 00100000 01101111 01100110 00100000 01110000 01110010 01101111 01100111 01110010 01100001 01101101 01110011 00100000 01110100 01101000 01100001 01110100 00100000 01110000 01100101 01110010 01100110 01101111 01110010 01101101 00100000 01100011 01100101 01110010 01110100 01100001 01101001 01101110 00100000 01100010 01100001 01110011 01101001 01100011 00100000 01100110 01110101 01101110 01100011 01110100 01101001 01101111 01101110 01110011 00100000 01110111 01101001 01110100 01101000 00100000 01100001 00100000 01110011 01110000 01100101 01100011 01101001 01100110 01101001 01100011 00100000 01110100 01111001 01110000 01100101 00100000 01101111 01100110 00100000 01101000 01100001 01110010 01100100 01110111 01100001 01110010 01100101 00101110 11011010 11011010 01010100 01101000 01100101 00100000 01100110 01110101 01101110 01100011 01110100 01101001 01101111 01101110 01110011 00100000 01101111 01100110 00100000 01110100 01101000 01100101 00100000 01101111
CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS Page 32

YUSIF SULEIMAN

[2308-0703-0223]

01110000 01100101 01110010 01100001 01110100 01101001 01101110 01100111 00100000 01110011 01111001 01110011 01110100 01100101 01101101 00100000 01100001 01110010 01100101 00111010 11011010 00101101 00100000 01010011 01110100 01100001 01110010 01110100 01101001 01101110 01100111 00100000 01110100 01101000 01100101 00100000 01100011 01101111 01101101 01110000 01110101 01110100 01100101 01110010 11011010 00101101 00100000 01001101 01100001 01101110 01100001 01100111 01101001 01101110 01100111 00100000 01110000 01110010 01101111 01100111 01110010 01100001 01101101 01110011 11011010 00101101 00100000 01001101 01100001 01101110 01100001 01100111 01101001 01101110 01100111 00100000 01101101 01100101 01101101 01101111 01110010 01111001 11011010 00101101 00100000 01001000 01100001 01101110 01100100 01101100 01101001 01101110 01100111 00100000 01101101 01100101 01110011 01110011 01100001 01100111 01100101 01110011 00100000 01100110 01110010 01101111 01101101 00100000 01101001 01101110 01110000 01110101 01110100 00100000 01100001 01101110 01100100 00100000 01101111 01110101 01110100 01110000 01110101 01110100 00100000 01100100 01100101 01110110 01101001 01100011 01100101 01110011 11011010 00101101 00100000 01000101 01101110 01100001 01100010 01101100 01101001 01101110 01100111 00100000 01110101 01110011 01100101 01110010 00100000 01101001 01101110 01110100 01100101 01110010 01100001 01100011 01110100 01101001 01101111 01101110 00100000 01110111 01101001 01110100 01101000 00100000 01110100 01101000 01100101 00100000 01100011 01101111 01101101 01110000 01110101 01110100 01100101 01110010 11011010 iii. To convert Hexadecimal to Decimal enter a Hex value in the box below and hit "Convert". You will get the decimal representation of the hex value as shown below!

The out-put is shows below: 84 104 101 32 79 112 101 114 97 116 105 110 103 32 83 121 115 116 101 109 32 40 79 83 41 218 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 218 218 84
CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS Page 33

YUSIF SULEIMAN

[2308-0703-0223]

104 101 32 111 112 101 114 97 116 105 110 103 32 115 121 115 116 101 109 32 105 115 32 97 32 115 101 116 32 111 102 32 112 114 111 103 114 97 109 115 32 116 104 97 116 32 112 101 114 102 111 114 109 32 99 101 114 116 97 105 110 32 98 97 115 105 99 32 102 117 110 99 116 105 111 110 115 32 119 105 116 104 32 97 32 115 112 101 99 105 102 105 99 32 116 121 112 101 32 111 102 32 104 97 114 100 119 97 114 101 46 218 218 84 104 101 32 102 117 110 99 116 105 111 110 115 32 111 102 32 116 104 101 32 111 112 101 114 97 116 105 110 103 32 115 121 115 116 101 109 32 97 114 101 58 218 45 32 83 116 97 114 116 105 110 103 32 116 104 101 32 99 111 109 112 117 116 101 114 218 45 32 77 97 110 97 103 105 110 103 32 112 114 111 103 114 97 109 115 218 45 32 77 97 110 97 103 105 110 103 32 109 101 109 111 114 121 218 45 32 72 97 110 100 108 105 110 103 32 109 101 115 115 97 103 101 115 32 102 114 111 109 32 105 110 112 117 116 32 97 110 100 32 111 117 116 112 117 116 32 100 101 118 105 99 101 115 218 45 32 69 110 97 98 108 105 110 103 32 117 115 101 114 32 105 110 116 101 114 97 99 116 105 111 110 32 119 105 116 104 32 116 104 101 32 99 111 109 112 117 116 101 114 218 3.3 ASSUMPTION AND POTENTIAL ERRORS The first step is to understand counting in different systems. Our usual denary system uses the digits 0 9. Once you reach 9 you start with 10, 11, etc back to 19. Then you move on to the 20s. Binary and hexadecimal numbering systems use the same procedure, with different digits. Binary uses only the numbers 0 and 1. Usually, these are written with four digits, so 0 in denary is 0000 in binary. The values needed to convert ASCII string to binary or hexadecimal are contained in tables. However, if you dont have access to a table, you can manually convert ASCII to hex or binary by memorizing a few rules and applying basic counting rules. The numbers 0 9 begin with binary number 0011 0000, and hexadecimal number 30. Now, if you just remember the hexadecimal value (which is just 2 characters) you can convert to binary. The hexadecimal value 3 is 0011 binary, and 0 is 0000. Now you can count up through the ASCII number 9 The capital letters A Z begin with hexadecimal 41 and the small letters a z begin with hexadecimal 61 and binary number 0110 0001. One more important character a space is hexadecimal 20 and binary 0010 0000. Finally, here is an example with the manual conversions. To convert a string to hexadecimal, lets take Hi mom, start with the H. A begins with hexadecimal value of 41, B is 42, G is 47, and H is 48. Next is the letter i. a is hexadecimal 61, b is 62, h is 68, and i is 69. So your first part is 48 69. Now insert the space, and the rest of the letters. Final answer: 48 69 20 6D 6F 6D If you remember how to count, a few ASCII conversion to hex values, and a little practice, manual conversions are pretty easy

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 34

YUSIF SULEIMAN
Decimal Binary 1 0001 2 0010 3 0011 4 0100 5 0101 6 0110 7 0111 8 1000 9 1001 10 1010 11 1011 12 1100 13 1101 14 1110 15 1111 Table 3.3.1 Decimal to Binary Decimal 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

[2308-0703-0223] Hexadecimal 1 2 3 4 5 6 7 8 9 A B C D E F

Table 3.3.2 Dec to Hex The hexadecimal numbering systems uses the number 0 9 and A F. They are represented by 2 numbers or letters: 00 FF. The letter A is number 10, B is 11, and F is 15. Counting in hexadecimal looks like this: 00, 01, 09, 0A, 0B, 0F, 10, 11, 1A, 1B, 1F, 20, etc.

3.4

DECIPHERED TEXT
The Operating System (OS)?=========================??The operating system is a set of programs that perform certain basic functions with a specific type of hardware.??The functions of the operating system are:?- Starting the computer?- Managing programs?- Managing memory?- Handling messages from input and output devices?- Enabling user interaction with the computer?

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 35

YUSIF SULEIMAN

[2308-0703-0223]

4.1

REFERENCE
1. Justin Seitz (2009). Gray Hat Python: Python Programming for Hackers and Reverse Engineers. Immunity, Inc 1st edition. 2. Marcus Pinto (2011). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. 2nd edition 3. How Does Firefox Compare to Internet Explorer? | eHow.com http://www.ehow.com/how-does_4603998_internet-explorer-comparefirefox.html#ixzz28byLcmf3 4. Wiki Answer Copyright 2012. http://wiki.answers.com/Q/What_is_Denial_of_Service_attack Answers.com Denial of Service attack. Answers Corporation 5. Webopedia(2012). http://www.webopedia.com/TERM/D/DoS_attack.html 6. CERT/CC(2012) http://www.cert.org/tech_tips/denial_of_service.html CERT Coordination Center, Software Engineering Institute,Carnegie Mellon University 7. Mark Dowd, John McDonald, Justin Schuh (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley Professional; 1 edition

CSM203 SYSTEM INTRUSION & COMPUTER FORENSICS

Page 36

Filename: CSM203Proj Directory: C:\Users\YUSUF Template: C:\Users\YUSUF\AppData\Roaming\Microsoft\Templates\Normal.dotm Title: Subject: Author: compaq Keywords: Comments: Creation Date: 10/24/2012 10:39:00 AM Change Number: 17 Last Saved On: 11/1/2012 10:06:00 AM Last Saved By: YUSUF Total Editing Time: 404 Minutes Last Printed On: 11/6/2012 10:08:00 AM As of Last Complete Printing Number of Pages: 36 Number of Words: 6,397 (approx.) Number of Characters: 36,468 (approx.)