Computer Security Assignment

ICT287 Computer Security Assignment 2 – V1.5 Last Updated 24/02/2017
Murdoch University
ICT287 Computer Security
Due Dates: Assignment: Friday 28 July 2017, 23:55
Topic Approval: Friday 30 June 2017, 16:00
Assignment Information
You should submit your assignment online using the Assignment submission on LMS.
This is a group assignment. Each group consists of 2 students. Smaller or larger groups will only be
allowed in extreme circumstances and only if approved by the unit coordinator.
Late submissions will be penalised at the rate of 10% of marks per day late or part thereof.
You should submit your assignment as ONE word-processed document containing
all of the required
question answers. Allowed formats are either PDF or MS Word.
You
must keep a copy of the final version of your assignment as submitted and be prepared to
provide it on request.
The University treats plagiarism, collusion, theft of other students’ work and other forms of academic
misconduct in assessment seriously. Any instances of academic misconduct in this assessment will be
forwarded immediately to the Faculty Dean. For guidelines on academic misconduct in assessment
including avoiding plagiarism, see:
http://our.murdoch.edu.au/Student-life/Study-successfully/StudySkills/Referencing/
Vulnerability Research project
Following on from your successful analysis of Planet of the Grapes you have been recruited
as a full time security administrator by an online partner organization
Paul’s Wine Network
(PWN).
In addition to your regular admin tasks, one of your roles is to provide training and
education to the rest of the team. To do so, you will choose security vulnerability, document
it and provide a presentation to educate others about the significance of this issue.
The aim of this project is to put your skills to more practical use. In this project you will
research and learn about security vulnerability, and then develop a test environment to
demonstrate this vulnerability. You will demonstrate this to other students in class. Your
report will contain details on the vulnerability as well as mitigation strategy.

ICT287 Computer Security Assignment 2 – V1.5 Last Updated 24/02/2017
It is anticipated that students will attempt a very diverse range of projects; therefore more
specific details of the project may be discussed in class to give you more guidance.
The main activities that you will undertake are as follows:
1. Research and discover a security vulnerability that has significant impact and is
reasonably widespread. Things that are of low impact or very rare are not of interest
here as we want to highlight something that is an important issue. Details about things
like impact etc. are commonly included in bug reports and CVE lists so this is a good
starting point.
2. Explain and document the source of this vulnerability and the causes in your own
words. (1 page roughly). A copy of a CVE report is not acceptable.
3. Identify a system or systems where this issue exists “in the wild”. That is, you must
find a vulnerable system that you can document. If this is impossible then you will
need to discuss with your tutor and explain why it’s not possible and obtain approval
before proceeding. You may be advised that you need to pick a different topic, so do
this early. If you are advised to proceed, then you will need to provide alternative
documentation or evidence that the vulnerability does indeed exist widespread and
that it is worth analysing.
4. Build a test environment which is vulnerable to your chosen issue. This is exactly
what has been done for you every week when you were provided with the vulnerable
VM images. The test environment should be saved as a Virtual Box VM image that
works in our labs and this is to be submitted. If you submit a VM that I have created
then I will give the marks to myself and not to you. Credentials for the test
environment must be:

Account Type Username Password
Administrator Account admin admin
Regular user user user

If you submit a VM that I cannot access, due to wrong credentials or any other reason
then 10+ marks will be taken off for this component.
5. Write a report discussing the
a. Explanation and documentation of vulnerability (from item 2);
b. Existence of the vulnerability in production systems (from item 3);
c. Development of the test environment (this may be quite short and just needs to
include what you did. Screenshots are a good help here.);
d. Demonstration of the exploit in action (use screenshots to illustrate the
documentation);
e. Mitigation and prevention strategies for the exploit (this should be more than
simply “patch the software”. You should refer to your explanation of the
vulnerability to explain how and why the mitigations are suitable.
6. Demonstrate the test environment and exploit to your fellow students in class.
This is
a mandatory component of the assignment and will be done in the last lab time
slot.

ICT287 Computer Security Assignment 2 – V1.5 Last Updated 24/02/2017
Since there is emphasis on demonstrating the exploit, it is necessary that you have developed
the exploit code or at the very least customized source code from the public domain.
You are
not permitted to use metasploit.
You are also not permitted to present overly simple
exploits such as (but not limited to) default credentials or basic SQL injection.
All topics must be unique – therefore you should get your topic approved within the
first week as someone else might already choose the same one!
To ensure that suitable topics are chosen, you must discuss your plans with your tutor
BEFORE you may proceed with the assignment. It is expected that you will also obtain
feedback while you are still working on the assignment so that we may guide you.
Items 4,5,6 from the above list must be submitted for assessment. The report must be
submitted via LMS. Due to the size the test environment it can usually not be submitted to
LMS. You need to arrange the submission with your tutor.
General mark allocation:

Build & document VM test environment 20
Written report 60
Demonstration of exploit 20