CS Security Quiz 2

Why are SMS and Email insecure

it is unencrypted so there is no confidentiality, integrity, or authentication

Why are wireless networks less secure

signals travel through the air so anyone in range can eavesdrop, spoof, or jam

Why are mobile devices tricky

they have many interfaces so a larger attack surface with wifi, bluetooth, gps, apps, usb ports

Threat types

app based, physical threats, location tracking

App based threat

malware apps, ransomware, spy apps through camera/mic recording

Physical threats

stolen phone, SIM swapping, malicious USB charging

Location tracking threat

apps that track where you are constantly

Protections for mobile devices

lock the phone, update software, download only official apps, avoid public wifi, turn off unused features, backup data, don’t jail break

Why is email inherently insecure

sender can be faked (spoofed), no built in authentication, no guaranteed encryption

Main email threats

spam, phishing, spear fishing, business email compromise, social engineering

4 factors of authentication

what you know, what you have, what you are, where you are

Password formula

P = number of characters possible to the power of the length

Password risks

reuse, data breaches, social engineering, key loggers

Salt in hashing

adds randomness to a password before hashing

Internet is ___ secure by default

not

Packet sniffing

network cards can read all traffic in promiscuous mode

Four layer internet model

application, transport, internet, link

Application

HTTP, DNS, FTP

Transport

TCP (reliability)

Internet

IP addresses (routing)

Link

physical network

IP is

where

Port is

which service on that device

IP address

unique identifier for a device, IPv4 and IPv6

Ports

identify a service on a computer

Open ports

service is running and not blocked which means its an attack surface

DNS

domain name system that converts a website to an IP address

DNS vulnerability

can be attacked by spoofing or redirecting users

SYN Flooding

attacker sends many fake SYNs and server allocates resources and never finishes the connection so the server crashes

Smurf attack

attacker spoofs victim’s IP and sends a ping to broadcast so every device replies to the victim

Firewalls

separates internal network from the internet to allow or block packets based on IP, port, and protocol

Cookies

stored in browser and sent by the server, used for authentication, personalization, and tracking

Web attacks

XXS, XSRF, SQL injection

XXS

cross-site scripting where attacker injects code into a website and runs in the victim’s browser

XSRF

CSRF tricks your browser into sending requests while you’re logged in

SQL injection

attack sends input that becomes database code

TSL handshake

client and server agree on encryption verifying identity with a certificate and create a shared secret key provides CIA

TCP

reliable, ordered delivery, and retransmits lost packets

HTTPS guarantees

data is encrypted, not modified, and server is authentic

Certificates

prove identity of a website issued by a certificate authority and prevents man in the middle attacks

Wifi security

WEP is weak and anyone in range can intercept through rogue access points while WPA2 and 3 are strong