Department of Computer Science and Engineering

EECS 3482
Introduction to Computer Security
Instructor: N. Vlajic
Date: Feb 26, 2024

Midterm Examination

Instructions:

• Examination time: 75 min.

• Print your name and CSE student number in the space provided below.
• This examination is closed book and closed notes.
• There are 6 questions. The points for each question are given in square brackets, next to the
question title. The overall maximum score is 100.
• Answer each question in the space provided. If you need to continue an answer onto the last
page, clearly indicate that and label the continuation with the question number.

Question Points
1 / 30
FIRST NAME: _______________________
2 / 18
LAST NAME: _______________________ 3 / 12
4 / 18
STUDENT #: _______________________ 5 / 11
6 / 11
Total / 100

1
1. Multiple Choice [30 points]
Circle the correct answer(s) to the following questions / statements. For each statement, you will
obtain 0 marks if the number of circled answers is more/less than appropriate.

(1.1) [3 points] Which type of computer security professionals engage in “analysis of

network traffic to look for evidence of malicious activity”?
(a) ethical hackers
(b) source code (software) auditors
(c) forensics specialists
(d) malware analysts

(1.2) [2 points] Which Canadian Law/Bill/Act is concerned with “cyber-risks associated with
the use of third-party products and services”?
(a) PIPEDA
(b) Bill C-26
(c) Bill C-27
(d) all of the above

(1.3) [2 points] Which Human Resource (HR) duties/roles can support and improve the
(cyber) security posture of the respective organization?
(a) candidate (new-hire) screening
(b) policy writing
(c) employee training
(d) all of the above

(1.4) [3 points] In Cyber Security, a typical Disaster Management process consists of three
main stages/phases. Which of the three stages/phases has the longest time-horizon (i.e., can
take several months to several years to complete)?
(a) Incident Response
(b) Business Continuity
(c) Disaster Recovery
(d) each of the three stages/phases could take from several months to several years to
complete

(1.5) [2 points] In class, we have discussed 4 real-world cyber security incidents. Which of
these incidents was conducted by malicious insider(s)?
(a) First American Financial incident of 2019
(b) Desjardins incident of 2019
(c) SolarWinds incident of 2020
(d) 23andMe incident of 2023

2
(1.6) [3 points] In class, we have discussed the relationship between (raw) ‘data’ and the
‘information’ this data may ultimately yield/present. Which (one) CIA component will best
complete the following sentence?
“Attack on data _______________ may not necessarily result in a compromise of
_______________ in respective information.”
(a) confidentiality
(b) integrity
(c) availability

(1.7) [3 points] Which type of attacks do ‘scrubbing services/centers’ generally protect

against?
(a) attacks on data confidentiality
(b) attacks on data integrity
(c) attacks on data availability
(d) all of the above

(1.8) [3 points] Choose the cyber security concept that best describes/matches the entity in
the below graph marked with ‘X’.
(a) adversary
(b) asset
(c) data
(d) vulnerability

3
(1.9) [2 points] Which options best completes the following sentence?
“___________________ are generally considered to be a threat-actor group with the lowest
level of capability and sophistication.”
(a) nation states
(b) cybercriminals
(c) malicious insiders very high level of capability (i.e., ability to do harm)
(d) hacktivists

(1.10) [2 points] Which options best completes the following sentence?

A _____________ hat hacker’s intention is to improve the security of a system without being
tasked to do so by the system’s owner.
(a) white
(b) black
(c) blue
(d) none of the above

(1.11) [2 points] Regular operating-system (OS) updating and patching on all machines of
an enterprise is an effective measure against which of the following threat events?
(a) forces of nature
(b) hardware failure
(c) deviation in quality of service
(d) none of the above

(1.12) [3 points] Which of the following are examples of ‘passive’ attack?

(a) DoS attack that aims to saturate the network bandwidth towards the target/victim
machine by sending a flood of ‘dumb’ packets (i.e., packets that do not require any significant
processing)
(b) DoS attack that aims to overwhelm the CPU of the target/victim machine by sending a
select number of computationally heavy requests
(c) both (a) and (b) are examples of ‘passive’ attacks
(d) neither (a) nor (b) are examples of ‘passive’ attacks

4
2. Malware [18 points]
2.1 [9 points] Different Types of Malware
In class, we have discussed many different types of malware (worm, virus, key-logger, etc.). For
each of the below figures, state the most likely type of malware that the figure illustrates.

(a)

This type of malware is called:

trojan
________________________
.

(b)

This type of malware is called:

logic bomb
________________________
.

(c)

This type of malware is called:

rootkit
________________________
.

5
2.2 [3 points]
In class, we have talked about different phases of a virus lifecycle. In which phase of a virus
lifecycle “the virus is activated/evoked to perform the function for which it was intended” ?
(a) Dormant Phase
(b) Propagation Phase
(c) Triggering Phase
(d) Execution Phase

2.3 [6 points] Probability of Virus Infection

Mallory is an elite hacker. Recently, she has discovered a zero-day vulnerability in Windows-11
OS, and she has just finished coding a novel PDF-macro virus (VirusM) that is capable of
exploiting this vulnerability in any targeted Windows-11 machine. She has also successfully
injected VirusM into a PDF document named ImportanUpdate.pdf. Mallory is now planning on
sending ImportantUpdate.pdf as an attachment in a phishing email to N targeted users.

If we assume that:
- the number of targeted users (i.e., users receiving Mallory’s phishing email) is N=1000;
- only 30% of targeted user will fall for Mallory’s ‘phish’ and click on ImportantUpdate.pdf;
- among the targeted users, 50% have a Windows-10 machine, 20% have a Windows-11
machine, 15% have a Linux machine, and 15% have a MacOS machine;
how many machines will ultimately get infected with VirusM?
In the space below, provide and briefly justify your answer.

Solution:

Probability that a targeted user clicks on the infected document AND runs Windows-11 machine =
= Psuccessful infection = 0.3 x 0.2 = 0.06

Thus, # of infected machines = # of targeted machines x Psuccessful infection =

= 1000 x 0.06 =
= 60

6
3. Attacks Using Malicious Software Tools [12 points]
3.1 [3 points] Which of the following statements are correct when it comes to ‘on-line’ and ‘off-
line’ password cracking?
a) On-line password cracking is generally faster to conduct than off-line password cracking.
b) On-line password cracking is generally harder to detect (by the victim system) than off-
line password cracking.
c) Unlike on-line password cracking, off-line password cracking requires access to a
particular type of ‘internal information’ from the victim system.
d) Dictionary based off-line password cracking has higher chances of success than brute-
force based off-line password cracking, even in case of entirely random passwords.

3.2 [3 points] In 2022 an e-commerce web-site (abc-commerce.com) was able to generate

$200,000 daily revenue. In 2023 abc-commerce.com was targeted by a continuous (i.e., a full-
year long) low-and-slow DDoS attack. As a result of this attack, the site’s response time has got
longer for approx. 0.5 sec, which has caused 10% of the site’s users to switch to other
(competitor) sites. What will be the annual revenue loss experienced by abc-commerce.com in
2024 due to the consequences of low-and-slow DDoS attack of 2023 (assuming all other
parameters remain the same)?
a) $20,000
b) $58,000
c) $840,000
c) $3,100,000
d) $7,300,000

3.3 [3 points] In class, we have discussed volumetric DDoS attacks, in which a flood of
(dummy) IP packets is sent towards the victim machine. We have also explained that such
DDoS attacks are also often paired with IP address spoofing. Which IP address(es) are typically
‘spoofed’ in the dummy packets of volumetric DDoS attacks?
a) source IP addresses
b) destination IP addresses
c) both a) and b) have to be spoofed

3.4 [3 points] Mallory runs a popular blog site, and she is also an ‘affiliate’ of a popular sports
brand – LuLuX. This means that Mallory features some of LuLuX products on her blog site.
Every time a visitor to her site clicks on a featured LuLuX link/product, and lands on a LuLuX
page, Mallory receives a small commission.
To increase her affiliate earnings, Mallory is now contemplating a fraudulent scheme in which
she would craft/generate fake requests for LuLuX pages that (falsely) appear to be arriving from
Mallory’s blog site. Which type of spoofing would make this fraudulent scheme possible?
a) HTTP spoofing
b) request spoofing
c) DNS spoofing
d) referer spoofing

7
4. Software Attacks and Vulnerabilities [18 points]

4.1 [3 points] The score of one CVSS sub-metrics will change its value depending on
‘existence of any patches or workarounds’ for the assessed vulnerability. Which group of CVSS
metrics does this sub-metrics belong to?
a) Base
b) Temporal
c) Resolution
d) Environmental

4.2 [3 points] Which of CVSS Base Metrics is intended to reflect ‘whether (exploitation of) a
vulnerability in one system or component can carry over to another system or component’?
a) Attack Complexity
b) Privileges
c) User Interaction
d) Scope

4.3 [3 points] As discussed in class, CVSS sub-metrics can be assigned both quantitative
(numerical) and respective qualitative (label) scores. In general, the higher the numerical score,
the higher the risk of vulnerability exploitation.
Now, consider a vulnerability that is given score ‘None’ for/under Privileges Required metrics.
What do you think would be the respective numerical value corresponding to this
qualitative/label score?
a) 0.85
b) 0.62
c) 0.27
d) 0.0

4.4 [5 points] In class, we talked about the Heartbleed vulnerability. The CVSS v3.1 vector
score for this vulnerability is shown below. What is the meaning of the first element of the given
vector score: AV:N ? Provide your answer in the space below.

Solution:
The 1st element/parameter of CVSS vector representation (AV) stands for ‘Attack Vector’, and it
specifies how (the given) vulnerability can be exploited in terms of adversary’s proximity.
Possible AV values are:
N - Network (vulnerability can exploited remotely / over the network – worst case), as in Heartbleed,
A - Adjacent (to exploit the vulnerability, adversary must be in an adjacent network),
L - Local (to exploit the vulnerability, adversary must be present in the local network),
P - Physical (to exploit the vulnerability, adversary must have physical access to the vulnerable device).

8
4.4 [4 points] The timeline (i.e., lifecycle) of a zero-day vulnerability is shown in the below
figure. During which of the marked time intervals we can expect that the software vendor of an
identified zero-day vulnerability would be ‘working on identifying an adequate workaround’?
a) te to td
b) td to t0
c) t0 to ts
d) ts to tp

9
5. Information Hiding / Steganograph [11 points]
5.1 [4 points]
You are about to deploy a stego-tool called StegoWizard to hide a grayscale secret-image
inside a grayscale cover-image. The two images, as well as the resulting stego-image, are all of
the same size – 64 kbytes.
As explained in class, to generate the stego-image, StegoWizard takes the N most-significant-
bits (MSBs) of every secret-image pixel and hides/places them over N least-significant-bits
(LSBs) of the respective cover-image pixel.
StegoWizard tool allows you to pick/specify the value of N. If your objective is to create a stego-
image that is minimally suspicious to the adversary, while still serving its purpose of hiding the
secret-image inside the cover-image, which of the following values of N should you choose?

(a) N=0 No hiding takes place.

(b) N=2
(c) N=6 Cover-image becomes very ‘blurred’ / low quality.

(d) N=8 Cover-image becomes secret-image. Secret not hidden any longer.

5.2 [4 points]
JP Hide and Seek is another image steganography tool that can be used for hiding of secret
messages inside JPEG image files. If you are to use this tool to hide a large text/secret
message, which of the following images would you choose as the cover-image, and why? Circle
the correct answer and briefly justify your reasoning in the space provided below.

JPEG Image A JPEG Image B

(a) JPEG Image A would be a better cover-image.

(b) JPEG Image B would be a better cover-image.

Solution:
The best ‘location’ for hiding of secret bits inside a JPEG file are the ‘high frequency’ DCT
components. Based on the look of the two images, JPEG Image B is a compressed version of
JPEG Image A, and as such already has many (a majority) of high frequency DCT components
suppressed/removed. In other words, the majority of DCT components in JPEG Image B are low-
frequency (low-entropy), which are NOT good for hiding of secret bits – as hiding of secret bits into
low-entropy areas would introduce (visible) disturbances …

10
5.3 [3 points]
Based on the above descriptions of StegoWizard and JP Hide and Seek, use one of the
following options to best complete the below sentences.
A. data redundancy
B. space redundancy

A
The image-hiding procedure deployed in StegoWizard is based on the principle of _______.

A
The image-hiding procedure deployed in JP Hide and Seak is based on the principle of _______.

11
6. Cryptography [11 points]

6.1 [3 points]
Consider an encryption algorithm which for a plaintext file (e.g., a text file or an image) of size
n bytes produces a ciphertext file of the same size (n bytes). In your opinion, how will the
entropies of the two files compare?
(a) The entropies of the two files will be/remain the same.
(b) The entropy of the ciphertext will be greater relative to the entropy of the plaintext file.
(c) The entropy of the ciphertext will be smaller relative to the entropy of the plaintext file.

6.2 [3 points]
Alice is in the process of establishing a secure HTTPS session with her bank’s Web-server,
while Mallory is able to observe the content of this session’s TLS 1.2 packets (including the
connection establishment packets). Which of the following does this practically imply?
(a) Mallory will be able to determine which specific encryption algorithm(s) are going to be
used between/by Alice’s browser and the bank’s server.
(b) Mallory will be able to determine the size of encryption keys used between Alice’s browser
and the bank’s server.
(c) Both (a) and (b).
(d) Neither (a) nor (b).

6.2 [5 points]
Alice and Bob have exchanged a message
encrypted using a symmetric encryption algorithm
with a secret key of size 32 bits. Trudy has captured
this message and now wants to decrypt it. Through
some form of social engineering, Trudy has also
learned that the first and second half of the secret
key used by Bob and Alice are identical.
If Trudy’s computer can perform 212 decryptions per second, how long will it take for Trudy to
‘crack’ (i.e., find) the secret key, in the worst case?
(a) 1.2 hours
(b) 18 minutes
(c) 16 seconds
(d) under 1 second

Solution:
Key = ABCD… ABCD…
Search space = 216 [keys]
Search time = 216 [keys] / 212 [keys/sec] = 24 [sec] = 16 sec

12
 Grade Analysis & Statistics

Average: 59.675  60
Max: 89
Min: 36
# of A/A+: 7

13
Say you got 36 on the midterm AND final
and 100 on other course components.
You overall grade would be:

0.3736 + 0.3736 + 0.26100 = 51.92 (D)

Say you got 48 on the midterm AND final

and 100 on other course components.
You overall grade would be:

0.3748 + 0.3748 + 0.26100 = 61.52 (C)

Say you got 60 on the midterm AND final

and 100 on other course components.
You overall grade would be:

0.3760 + 0.3760 + 0.26100 = 70.4 (B)

Say you got 73 on the midterm and final

and 100 on other course components.
You overall grade would be:

0.3773 + 0.3773 + 0.26100 = 80.02 (A)

14