Assignment Details:

Planet of the grapes
Planet of the Grapes, a local wine and spirit merchant currently operates in three stores around Perth. Stores are independent from one another and there is no data sharing between stores, although this is not by design but simply a by-product of faster than expected expansion. The organisation is now moving into the online arena and has contracted your computer consulting company to perform a variety of audits on their computer network. The owners have never employed any IT security staff in the past and have preferred to set up systems for themselves. However, it has become apparent that the risks of moving business systems online are not to be ignored. For this reason you are being asked to investigate the security of the system and make recommendations.
There are two distinct tasks being requested in this phase of the audit. Each of these should be answered separately.

Question 1: Attack Surface Modelling (60 marks)
The site being audited has a total of 10 full time staff and an unspecified number of casual staff. The back-office duties are only undertaken by full time staff, but the staff common areas and offices are not locked or physically separated. Full time staffers handle payroll, HR and scheduling tasks. The front counter/cashier duties are sometimes taken on by full timers but also by casual staff. You have been informed that the turnover of casual staff is quite
large, although the reasons for this are unknown.

The computer systems in the back office are all networked via a Cisco small business series ADSL router supplied by Telstra. To permit the owner(s) to check on files from home, remote access services are enabled on some but not all of the machines. There is no centralized authentication server and users logon locally to all machines. All machines contain two local user accounts “admin” and “user”. These accounts are shared by staff to ensure that files are always accessible to fellow staff. The server that will be used for hosting the online presence will run on Ubuntu Linux. The server will also be used as print and file server for other Windows 7 PCs which will run office applications (payroll, HR etc.).

An image of the server machine has been supplied to you as VirtualBox VM. You can obtain the VM from: http://www.it.murdoch.edu.au/szander/ICT287/assignment1/form.php

You will require your student number to download the VM. You should download your own specific VM as there are multiple different VMs for different people.

The network interface of the VM is set to Host-only Adapter and you should leave it that way. For the VM to run, it is necessary to have a Host-only Network configured in VirtualBox. This may already exist, but if it does not exist you can configure it under File->Preferences->Network->Host-only Networks. Make sure you enable the DHCP server.

Your task is to assess the attack surface of this machine. The scope of your analysis is limited to (1) network level attacks and (2) physical attacks. You should NOT logon to the machine and analyse the individual software packages that have been installed. You only need identify and describe any vulnerable services from a network level (using suitable tools) and identify and describe any potential physical attacks given the scenario description above.

It is not mandatory, but you may use a vulnerability scanner (e.g. Nessus) for the network-level analysis. However, you are not allowed to simply copy and paste output of these tools. Like in the real world you must synthesise the output of the tools into a form appropriate for the audience and add textual descriptions.

Your report should outline possible weaknesses and vulnerabilities in the systems. The report should include a summary of less than 1 page that summarises the most important findings and is understandable by a layperson. The following pages should describe the details and should be presented in a format suitable for a general technical audience – i.e. someone who is proficient in IT in general, but may not be a security expert. Citations should be used where appropriate.

Your report should include an overview of the potential vulnerable services and of the physical attack points, reference specific CVE items (with brief explanations) and demonstrate a prioritisation of the most important issues. An exhaustive list of CVEs is not required (there are too many), but you should at least discuss the 10 most critical and these must be relevant to the actual system and services. Based on your findings you should also make some recommendation on how to improve the security.

Question 2: Legacy code (40 marks)
The Internet in Perth is notoriously bad and the Internet connection between Planet of the Grapes and their bank is down on a regular basis. To avoid losing out on any purchases during outages, Planet of the Grapes intends to allow offline purchases (as in the good old times). However, credit card data entered by a customer still needs to be verified offline to prevent malicious users from trying to buy goods with fake credit card numbers.

Planet of the Grapes staff have acquired an application that can do this, but they suspect that this program (supposedly implemented in C) is vulnerable to a critical and very common type of software security vulnerability. Planet of the Grapes has supplied you with a copy of the program (part of http://www.it.murdoch.edu.au/szander/ICT287/assignment1/form.php.)
When you inquire about this software you learn that it cannot be patched as the code is part of a suite of utilities supplied by the financial provider and Planet of the Grapes cannot get access to the code.

Name and explain the type of vulnerability. Discuss what types of systems it affects and why it happens (what is the issue?). Discuss the impact of the vulnerability and how it may be exploited theoretically.

Besides discussing how the vulnerability may be exploited in general, discuss the impact of the vulnerability in this specific case of the credit card validation tool and describe and demonstrate (e.g. screenshot) how it can be exploited. It is not required to use a disassembler for this task, simply manipulating the tool’s input directly is sufficient.

Given that it is not possible to patch the code directly, there is no vendor update and it must remain in use, make at least 3 different recommendations that would reduce the risk this application poses. The recommendation must be specific to this case and not general mitigation strategies that do not apply in this case.