Description
Computer Security. Refer to the attachment for the question.
References is APA
Planet of the Grapes, a local wine and spirit merchant currently operates in three stores around Perth. Stores are independent from one another and there is no data sharing between stores, although this is not by design but simply a by-product of faster than expected expansion. The organisation is now moving into the online arena and has contracted your computer consulting company to perform a variety of audits on their computer network. The owners have never employed any IT security staff in the past and have preferred to set up systems for themselves. However, it has become apparent that the risks of moving business systems online are not to be ignored. For this reason you are being asked to investigate the security of the system and make recommendations.
There are two distinct tasks being requested in this phase of the audit. Each of these should be answered separately.
Question 2: Legacy code (40 marks)
The Internet in Perth is notoriously bad and the Internet connection between Planet of the Grapes and their bank is down on a regular basis. To avoid losing out on any purchases during outages, Planet of the Grapes intends to allow offline purchases (as in the good old times). However, credit card data entered by a customer still needs to be verified offline to prevent malicious users from trying to buy goods with fake credit card numbers.
Planet of the Grapes staff have acquired an application that can do this, but they suspect that this program (supposedly implemented in C) is vulnerable to a critical and very common type of software security vulnerability. Planet of the Grapes has supplied you with a copy of the program (part of http://www.it.murdoch.edu.au/szander/ICT287/assignment1/form.php.) When you inquire about this software you learn that it cannot be patched as the code is part of a suite of utilities supplied by the financial provider and Planet of the Grapes cannot get access to the code.
Name and explain the type of vulnerability. Discuss what types of systems it affects and why it happens (what is the issue?). Discuss the impact of the vulnerability and how it may be exploited theoretically.
Besides discussing how the vulnerability may be exploited in general, discuss the impact of the vulnerability in this specific case of the credit card validation tool and describe and demonstrate (e.g. screenshot) how it can be exploited. It is not required to use a disassembler for this task, simply manipulating the tool’s input directly is sufficient.
Given that it is not possible to patch the code directly, there is no vendor update and it must remain in use, make at least 3 different recommendations that would reduce the risk this application poses. The recommendation must be specific to this case and not general mitigation strategies that do not apply in this case.
These description of the vulnerability and the recommendations should be presented in a format suitable for a general technical audience – i.e. someone who is proficient in IT in general, but may not be a security expert. Citations should be used where appropriate.
The expected answer length is approximately 2-3 pages and the answer must not be longer 4 pages.
Unformatted Attachment Preview
Purchase answer to see full attachment
Explanation & Answer
Find the attached paper. In case you need edits feel free to seek clarification or edits
Outline
Introduction
Body
Conclusion
References
Running head: OFFLINE PURCHASES VULNERABILITIES
1
Offline Purchases Vulnerabilities
Name:
Institution:
OFFLINE PURCHASES VULNERABILITIES
2
Offline Purchases Vulnerabilities
Name and explain the type of vulnerability.
Planet of the Grapes having experienced a regular downtime of internet connection with
its bank opted to apply an offline purchase system like the Point-Of-Sale system to help them
whenever making sales. However, the vulnerability exists between the POS workstation and the
store server whereby it lacks basic protection mechanisms. Since the system does not check
whether an individual carrying out the transaction is authorized to perform the critical function, it
opens up the system to a series of attack vectors (Shimpi, 2016). For example, a malicious
hacker can use a Raspberry Pi to upload a malicious code designed to send card numbers to his
or her server by connecting it to the network where the POS terminal is located. Typically, the
vulnerability allows one to steal card information, but it goes beyond stealing such data. The
hac...