| author | Christian Urban <christian dot urban at kcl dot ac dot uk> |
| Thu, 15 Oct 2015 01:41:33 +0100 | |
| changeset 406 | 0516bffd3f5f |
| parent 384 | 3a7c08f2bf5d |
| child 413 | 0f824ca252e4 |
| permissions | -rw-r--r-- |
| 10 | 1 |
\documentclass{article}
|
|
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
2 |
\usepackage{../style}
|
| 10 | 3 |
|
4 |
\begin{document}
|
|
5 |
||
6 |
\section*{Homework 1}
|
|
7 |
||
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
8 |
\HEADER |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
9 |
|
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
10 |
|
| 10 | 11 |
\begin{enumerate}
|
|
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
12 |
\item {\bf (Optional)} If you want to have a look at the code
|
|
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
13 |
presented in the lectures, install \texttt{Node.js} available (for free) from
|
| 10 | 14 |
\begin{center}
|
|
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
15 |
\url{http://nodejs.org}
|
| 10 | 16 |
\end{center}
|
17 |
||
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
18 |
It needs also the Node-packages Express, Cookie-Parser, |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
19 |
Body-Parser and Crypto. They can be easily installed using the |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
20 |
Node package manager \texttt{npm}.
|
|
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
21 |
|
| 10 | 22 |
|
23 |
\item Practice thinking like an attacker. Assume the following situation: |
|
|
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
24 |
|
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
25 |
\begin{quote}\it
|
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
26 |
Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip |
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
27 |
|
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
28 |
\noindent |
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
29 |
\begin{tabular}{@ {}l}
|
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
30 |
Write the first 100 digits of pi:\\ |
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
31 |
3.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ |
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
32 |
\end{tabular}
|
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
33 |
\end{quote}
|
| 10 | 34 |
|
35 |
\noindent |
|
|
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
36 |
Think of ways how you can cheat in this exam? How would you defend |
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
37 |
against such cheats. |
| 10 | 38 |
|
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
39 |
\item Here is another puzzle where you can practice thinking |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
40 |
like an attacker: Consider modern car keys. They |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
41 |
wirelessly open and close the central locking system of |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
42 |
the car. Whenever you lock the car, the car ``responds'' |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
43 |
by flashing the indicator lights. Can you think of a |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
44 |
security relevant purpose for that? (Hint: Imagine you |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
45 |
are in the business of stealing cars. What attack would |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
46 |
be easier to perform if the lights do not flash?) |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
47 |
Should the car also make a ``beep noise'' when it |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
48 |
unlocks the doors? Which threat could be thwarted |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
49 |
by that? |
|
328
7ae9a893b76f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
171
diff
changeset
|
50 |
|
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
51 |
\item And another one: Imagine you have at home a broadband |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
52 |
contract with TalkTalk. You do not like their service |
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
53 |
and want to switch to Virgin, say. The procedure |
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
54 |
between the Internet providers is that you contact |
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
55 |
Virgin and set up a new contract and they will |
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
56 |
automatically inform TalkTalk to terminate the old |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
57 |
contract. TalkTalk will then send you a letter to |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
58 |
confirm that you want to terminate. If they do not hear |
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
59 |
from you, they will proceed with terminating |
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
60 |
the contract and will request any outstanding |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
61 |
cancellation fees. Virgin on the other hand sends you a |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
62 |
new router and paperwork about the new contract. |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
63 |
Obviously this way of doing things is meant to make |
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
64 |
switching as convenient as possible. Still can |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
65 |
you imagine situations in which this way of switching |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
66 |
providers can cause you a lot of headaches? For |
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
67 |
this consider that TalkTalk needs approximately 14 days |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
68 |
to reconnect you and might ask for reconnection fees. |
|
370
ddac52c0014c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
350
diff
changeset
|
69 |
|
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
70 |
\item And another one: A water company installed devices that |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
71 |
transmit meter readings when their company car drives |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
72 |
by. How can this transmitted data be abused, if not |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
73 |
properly encrypted? If you identified an abuse, then how |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
74 |
would you encrypt the data so that such an abuse is |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
75 |
prevented. Hint: Consider the fact that every person |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
76 |
uses approximately 120l of water every day. |
|
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
77 |
|
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
78 |
%\item And another one: Nowadays everybody and their |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
79 |
% grandmother seems to be scared about a bomb going off at |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
80 |
% a big event, say a football game. To mitigate such a |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
81 |
% threat, you order expensive metal detectors and hire a |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
82 |
% security team that will staff these detectors at each |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
83 |
% game. Think whether people are really safer at a |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
84 |
% football game with metal detectors or not. Hint: People |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
85 |
% certainly might *\emph{feel}* safer by going through
|
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
86 |
% metal detectors, but the question is whether they |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
87 |
% *\emph{are}* safer. Hint: Consider how people arrive at
|
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
88 |
% such an event: within a relative short amount of time, |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
89 |
% thousands, if not more, spectators will arrive at your |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
90 |
% football game. |
|
370
ddac52c0014c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
350
diff
changeset
|
91 |
|
|
372
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
92 |
%% CYA security - cover-your-ass |
|
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
93 |
% It's an attitude I've seen before: "Something must |
|
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
94 |
% be done. This is something. Therefore, we must do it." |
|
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
95 |
% Never mind if the something makes any sense or not. |
|
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
96 |
|
|
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
97 |
\item And another one: Imagine you are researching security |
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
98 |
products (e.g.~CCTV, alarms etc) on a helpful website. |
|
384
3a7c08f2bf5d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
382
diff
changeset
|
99 |
They ask you for your address details? Think about |
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
100 |
whether this can be bad for you. |
|
372
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
101 |
|
|
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
102 |
|
|
350
54d6fc856950
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
328
diff
changeset
|
103 |
%\item Imagine there was recently a break in where computer criminals |
|
54d6fc856950
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
328
diff
changeset
|
104 |
% stole a large password database containing |
|
54d6fc856950
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
328
diff
changeset
|
105 |
|
|
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
106 |
\item Explain what hashes and salts are. Describe how they can be used |
|
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
107 |
for ensuring data integrity and storing password information. |
| 10 | 108 |
|
|
171
6cdf4d3906e2
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
169
diff
changeset
|
109 |
\item What is the difference between a brute force attack and a |
|
6cdf4d3906e2
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
169
diff
changeset
|
110 |
dictionary attack on passwords? |
|
380
948f4b39d55d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
372
diff
changeset
|
111 |
|
|
948f4b39d55d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
372
diff
changeset
|
112 |
\item Even good passwords consisting of 8 characters, can be |
|
948f4b39d55d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
372
diff
changeset
|
113 |
broken in around 50 days (obviously this time varies a lot and |
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
114 |
also gets shorter and shorter). Do you think it is good |
|
380
948f4b39d55d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
372
diff
changeset
|
115 |
policy to require users to change their password every 3 |
|
948f4b39d55d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
372
diff
changeset
|
116 |
months (as King's did until recently)? Under which |
|
948f4b39d55d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
372
diff
changeset
|
117 |
circumstance should users be required to change their |
|
948f4b39d55d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
372
diff
changeset
|
118 |
password? |
|
171
6cdf4d3906e2
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
169
diff
changeset
|
119 |
|
| 14 | 120 |
\item What are good uses of cookies (that is browser cookies)? |
| 10 | 121 |
|
|
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
122 |
\item Why is making bank customers liable for financial fraud a bad |
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
123 |
design choice for credit card payments? |
|
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
124 |
|
| 10 | 125 |
\end{enumerate}
|
126 |
||
127 |
\end{document}
|
|
128 |
||
129 |
%%% Local Variables: |
|
130 |
%%% mode: latex |
|
131 |
%%% TeX-master: t |
|
132 |
%%% End: |