Q71: Match the security methods with its description.

Posted on by bytesoftheday

Question 71: Match the following:

  1. Phishing
  2. Authentication
  3. Authorization
  4. Accounting

 

i. Using passwords, one-time tokens, digital signatures.

ii. IP address filtering.

iii. Directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

iv. Keeping track of network resource consumption.

 

Options:

  1. a-i, b-ii, c-iii, d-iv
  2. a-iv, b-ii, c-iii, d-i
  3. a-i, b-iv, c-ii, d-iii
  4. a-iii, b-i, c-ii, d-iv

Solution: The correct answer is option 4. Phishing is a security attack, whereas on the other hand, AAA (Authentication, Authorization and Accounting) are to ensure security and are part of security architecture for distributed systems.

Q38: Security concern in program

Posted on by bytesoftheday

Question #38: What is the security concern in the following program?

#define BUFFER_SIZE 256

int main( int argc, char * argv[ ] )

{

    char buffer[ BUFFER_SIZE ];

    if( argc < 2 )

        return -1;

    else {

        strcpy( buffer, argv[ 1 ] );

        return 0;

    }

}

 

Options:

  1. If 256 bytes are not available on the stack, it might result in allocating NULL pointer to buffer. And then, since we are copying data onto buffer, it would result in segmentation fault.
  2. If argv[1] exceeds 256 characters, then strcpy() will overflow the buffer, potentially overwriting the return address in the stack.
  3. If number of arguments passed are more than 3, it will cause a security breach
  4. Both 1 and 2.

 

Solution:

If memory is not available in stack, it will actually throw “Stack overflow” error, and won’t allow to proceed. Hence, the correct answer is option 2.

Q26: Why is password stored as hash?

Posted on by bytesoftheday

Question #26: Usually passwords in our systems are not stored as it is, but only their hash is stored. If PW is the password, then f(PW) is stored which is not invertible. What do you think is the intention behind this?

Options:

A)     So that some malicious user doesn’t change the password file.

B)      So that some malicious can’t see password in some text file as PW can’t be obtained from f(PW).

C)      So that some malicious user can’t guess the password.

D)     None of the above

 

Solution:

By storing hash instead of password, malicious user can still change the hash file, thereby indirectly changing password if it has root access. But it won’t be able to see the password and hash is not invertible back to password. Hence, the correct answer is option B.