Guide to Operating Systems Security
0-619-16040-3
Guide to Operating Systems Security
Chapter 10 Solutions
Answers to the Chapter 10 Review Questions
1.
One of your clients is attempting to use Outlook Express to send an encrypted e-mail to someone
whose proprietary e-mail software is configured only for 64-bit RC2 encryption. However, the other
person’s system is rejecting the e-mail. What might be the problem?
Answer: d. Outlook Express does not support 64-bit encryption for sending a message.
2.
Another of your clients is using an older computer that has e-mail software that only supports SMTP.
This user is unable to send an image file. Your diagnosis shows that____________________. (Choose
all that apply.)
Answer: c. his e-mail software does not support MIME
3.
The latest version of S/MIME _______________________________. (Choose all that apply.)
Answer: a. and b.
4.
Your organization wants to offer e-mail access for clients through an Internet Web server. In providing
this access, the organization wants a system that will (1) enable users to store e-mail in different
folders, (2) offer the option to search folders for a specific e-mail, and (3) show that a message has
been read. Which of the following should they implement on the new e-mail server? (Choose all that
apply.)
Answer: a. and d.
5.
A mail user agent is ______________________________.
Answer: a. a program used to compose an e-mail message and to read an e-mail message
6.
Which of the following uses a web of trust?
Answer: b. PGP
7.
During a management meeting one of the security officers in your organization complains that he
wastes up to an hour each day just hand-delivering new passwords for users who have forgotten theirs.
He suggests adopting a policy to send new passwords through e-mail. What is your response?
Answer: a. You recommend adopting a company-wide policy to prevent anyone from sending a
user account password through e-mail.
8.
GnuPG is most similar to _______________.
Answer: d. PGP
9.
The users in your organization are active Internet participants and therefore are now the recipients of
lots of junk e-mail. Many users waste a lot of time each day reading and deleting their junk e-mail.
Which e-mail software is best positioned to address junk e-mail?
Answer: c. Apple Mail
10. Which of the following encryption methods are used in PGP? (Choose all that apply.)
Answer: a. and d.
11. The business manager in your company is using S/MIME and a digital certificate, but her secret
communications with other users are not working. Which of the following might be the problem?
(Choose all that apply.)
Answer: c. The digital certificate is nonstandard, and so does not conform to X.509.
1
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
12. The DNS server administrator in your organization has discovered that some DNS records related to
the organization’s SMTP server have been alternated. Which of the following records are candidates
for an attacker to change? (Choose all that apply.)
Answer: b. and c.
13. When an attacker targets an e-mail communication that uses POP3, which TCP port is he or she likely
to use in the attack?
Answer: a. 110
14. An SMTP message is encoded in ____________________________.
Answer: b. 7-bit ASCII
15. A man-in-the-middle e-mail attacker has been intercepting e-mail messages from the board members
of your corporation and sending copies to a manager in a competing company. He is likely to be
altering the __________________________. (Choose all that apply.)
Answer: a. and b.
16. One of your Apple Mail users configured this software for security and is now not receiving any email. Which of the following might be the problem?
Answer: a. He configured to use TCP port 32, but should be using TCP port 25.
17. A disgruntled employee in your organization has been sending malicious e-mail to all of the managers.
Of the following choices, what system is this person most likely using?
Answer: b. a command-line MTA
18. The finance director for a college has been trying to encrypt her e-mail in Outlook Express, but is not
succeeding. What might be the problem?
Answer: c. She must first obtain a digital certificate from a CA.
19. A user who is employing the web of trust is currently discarding lots of e-mail, most likely because
_____________________________________.
Answer: a. that user’s circle of trusted colleagues is too small
20. When SMTP transports a message to a station, but that station is not available, what happens next?
Answer: d. SMTP can retry sending to the recipient for a specified time period before it notifies
the sender that the message did not go through.
2
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Hands-On Projects Tips and Solutions for Chapter 10
Project 10-1
In this project students compare the prices of two commercial certificate authorities for a single user.
In Step 3, students should record the single user fee, such as the yearly fee. Also, they should record
the other security services offered, such as forgery insurance and services to multiple users.
In Step 5, students should record the single user fee for a second commercial CA vendor and they
should record the other security services offered through the vendor.
Project 10-2
In this project, students learn about the PGP Freeware that can be obtained from the MIT Web site.
In Step 3, the systems for which the freeware is available are (at this writing):
 Windows 95/98/NT/2000
 Mac OS
 AIX
 HPUX
 Linux
 Solaris
 DOS
In Step 4, the software for which PGP Freeware is available includes (at this writing):
 Microsoft Outlook
 Microsoft Outlook Express
 Qualcomm Eudora 4.x
 Claris Emailer 2.x
 Emacs
 Mailcrypt
In Step 5, students should note how to obtain the software.
3
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Project 10-3
Students learn how to configure security for Microsoft Outlook Express in this project.
In Step 5, the security that is configured by default is (what students see in their project may differ, if
the defaults have been changed):
 Restricted sites zone (More secure)
 Warn me when other applications try to send mail as me
 Do not allow attachments to be saved or opened that could potentially be a virus
In Step 7, the commercial CAs listed at this writing are:
 Verisign
 GlobalSign
 British Telecommunications
 Thawte Certification
In Step 11, the security options include:
 Warn on encrypting messages with less than this strength
 Always encrypt to myself when sending encrypted messages
 Include my digital ID when sending signed messages
 Encode message before sending (opaque signing)
 Add senders’ certificates to my address book
 Check for revoked Digital IDs: Only when online
 Check for revoked Digital IDs: Never
Project 10-4
In this project, students configure the e-mail security for Microsoft Outlook.
In Step 4, the options already selected may vary from computer to computer. The default option is:
Send clear text signed message when sending signed messages.
In Step 6, the available options include:
 S/MIME
 Exchange Server Security
In Step 8, students' conclusions will depend on whether they are using Outlook 2003 or Outlook 2002,
but many may still favor Outlook Express anyway.
Project 10-5
In this project, students learn how to configure security for a Ximian Evolution Mail account in Red
Hat Linux 9.x. An e-mail account should be set up before students do this project.
In Step 8, the forms of security are PGP and GPG.
In Step 14, students should determine what the other configuration tabs are used for:
 Identity: Provides identity information about the account, such as the e-mail account name
and the Linux account with which it is associated
 Receiving Mail: Defines the server type from which to receive e-mail
 Receiving Options: Defines how often to check for new e-mail
 Defaults: Specifies in which folders to store drafts and sent messages; and carbon copy/blind
carbon copy preferences
4
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Project 10-6
Students learn about configuring security in Apple Mail in this project. An e-mail account should
already be configured before students begin.
In Step 7, the authentication includes the user name and password for accessing the e-mail account.
In Step 8, typically port 25 for SMTP is configured. Also, SSL can be selected for security. When
students view the authentication options, these include:
 None
 Password
 Kerberos version 4
 Kerberized POP (KPOP)
 Kerberos version 5 (GSSAPI)
 MD5 challenge-response
In Step 21, students should note what junk mail rule is currently defined, which may vary from
computer to computer.
5
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Solutions to the Case Project Assignments
Aunt Abby’s is a popular national bakery in a very competitive field. Competitors are always attempting to
acquire information about Aunt Abby’s products, particularly the recipes. Aunt Abby’s makes all types of
packaged bakery goods and has achieved significant success. The company has bakeries in New York,
Atlanta, Toronto, Vancouver, Chicago, Santa Fe, Phoenix, Boise, and San Francisco. Each location has an
SMTP server for e-mail and each is connected to the Internet through DSL lines to public ISPs, which
means that e-mail communications are not particularly secure.
The Toronto location also has a large test bakery that is used for improving current recipes and developing
new ones. Once a recipe is ready for prime time, it is sent via e-mail as an attachment to the master baker at
each of the other locations. For years, Aunt Abby’s has never worried about someone intercepting a recipe
through e-mail, but now they recognize that they need to implement tighter security, because it appears that
a competitor has developed a cake recipe that is very similar to one Aunt Abby’s just improved. Aunt
Abby’s hires you, via Aspen IT Services to consult about e-mail security.
Case Project 10-1: Learning about E-mail Attacks
As a start, the IT staff at the Toronto location ask you to create a report that explains how e-mail might be
intercepted by a competitor. Create such a report and include some diagrams to illustrate the contents of the
report.
Answer:
One way in which e-mail might be intercepted is through reconfiguring DNS records. The records
mentioned in the text are:
 Host address (A) resource record
 IPv6 host address (AAAA) resource record
 Pointer (PTR) resource
 Service (SRV) locator
Using this method, the attacker first gains access to the network’s DNS server, changes the records so that
the network’s SMTP server traffic is directed through the attacker’s computer and then the attacker
forwards the e-mail to the recipients, possibly changing the contains of the e-mail. This gives the attacker
the opportunity to forge e-mail.
Another technique is to simply use a sniffer to intercept e-mail traffic.
Students might include diagrams such as Figure 10-3 in the text.
6
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 10-2: Windows XP Professional E-mail Security
The Toronto test bakery uses Windows XP Professional workstations and when they exchange recipe
information, the recipients in the other locations also use this operating system. What security should they
use to protect their e-mail messages when they send recipes and other important information?
Answer:
These systems should be configured to use S/MIME and digital certificates. The company might contact a
commercial CA to purchase a block of certificates and perhaps insurance to go with them. The users may
deploy either Microsoft Outlook Express or Microsoft Outlook as the e-mail software. When they configure
the e-mail software, they should configure to use encryption and they can use the e-mail software to obtain
a digital certificate from the company’s designated commercial CA.
Before any recipe information is sent, the users should make sure that encryption is configured. Also, the
company should maintain strong security on its DNS servers and regularly check to make sure that SMTP
mail server records have not been altered.
Case Project 10-3: Blocking Junk Mail
The marketing staff, which is in the Chicago location, uses Mac OS X and Apple Mail. As part of the
creative process, they spend hours on the Internet collecting ideas. They also now receive lots of junk email. What can they do to block some of this e-mail, which is time-consuming to read and discard?
Answer:
As a first step, the company should train these users not to open junk e-mail, in case it contains a virus. At
the same time they should be trained in safely using the Internet.
Next, the company might offer user training on configuring e-mail filters and junk e-mail detection in
Apple Mail.
To configure filters:
 Open Apple Mail.
 Click the Mail menu.
 Click Preferences.
 Click the Rules icon.
 Double-click an existing rule to configure, such as Junk,; or click Add Rule to create a new rule
(filter).
To directly configure the junk mail options:
 Open Apple Mail.
 Click the Mail menu.
 Point to Junk Mail and select the desired option.
7
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 10-4: E-mail Digital Certificates
Many of the IT staff would like information about different approaches to digital certificates for e-mail.
Specifically, they ask you to create a report about the approaches used by the following security methods:
 S/MIME
 PGP
As you are preparing this report, they ask you to include information about encryption used with each of
these methods.
Answer:
S/MIME uses the standardized X.509 digital certificates, which the user may obtain from a commercial
CA. It also uses the following types of encryption:
 40-bit and other forms of RC2 encryption
 56-bit DES encryption
 168-bit Triple DES encryption
Further, S/MIME is compatible with Public-Key Cryptography Standards (PKCS).
A PGP digital certificate is structured differently than X.509 compatible certificates and contains the fields:
 PGP version number
 Public key
 Information about the certificate holder
 Digital signature of the certificate holder
 Validity period of the certificate
 Preferred algorithm for the key
PGP complements certificate use with the idea of a web of trust in which multiple people can sign a
certificate and that assumes the recipient is likely to know one of the signers who vouches for the source.
The encryption used by PGP includes:
 CAST
 IDEA
 Triple DES
8
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 10-5: Securely Handling E-Mail Attachments
The Aunt Abby’s senior management has been concerned lately about a Trojan horse that was introduced
through an e-mail attachment. They calculated that eradicating the Trojan horse took over 70 hours of
employee time. Senior management asks you to prepare a list of recommendations about handling e-mail
attachments (while recognizing that the company’s recipes are sent as attachments).
Answer:
Sample recommendations that might be provided to the senior management include (from the text
suggestions):
 Consider not using attachments for internal communications, but instead place the location of a
file in the message – thus having users obtain a file through file sharing and published files in
Active Directory, for example.
 Place a virus scanner on the e-mail gateway and scan all incoming e-mail.
 Delete attachments from unknown sources.
 Do not configure the e-mail software to automatically open attachments.
 Avoid using the HTML format for opening e-mail .
 Use a virus scanner on received e-mail and its attachments, before opening either.
 Place attachments in an area that is quarantined by a virus scanner.
9
© 2004 Course Technology and Michael Palmer. All rights reserved.