\documentclass{article}+ −
\usepackage{../style}+ −
+ −
\begin{document}+ −
+ −
\section*{Homework 1}+ −
+ −
\HEADER+ −
+ −
+ −
\begin{enumerate}+ −
\item {\bf (Optional)} If you want to have a look at the code+ −
presented in the lectures, install \texttt{Node.js} available (for free) from+ −
\begin{center}+ −
\url{http://nodejs.org}+ −
\end{center}+ −
+ −
It needs also the Node-packages Express, Cookie-Parser,+ −
Body-Parser and Crypto. They can be easily installed using the+ −
Node package manager \texttt{npm}.+ −
+ −
+ −
\item Practice thinking like an attacker. Assume the following situation:+ −
+ −
\begin{quote}\it+ −
Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip+ −
+ −
\noindent+ −
\begin{tabular}{@ {}l}+ −
Write the first 100 digits of pi:\\+ −
3.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_+ −
\end{tabular}+ −
\end{quote}+ −
+ −
\noindent+ −
Think of ways how you can cheat in this exam? How would you defend+ −
against such cheats.+ −
+ −
\item Here is another puzzle where you can practice thinking+ −
like an attacker: Consider modern car keys. They+ −
wirelessly open and close the central locking system of+ −
the car. Whenever you lock the car, the car ``responds''+ −
by flashing the indicator lights. Can you think of a+ −
security relevant purpose for that? (Hint: Imagine you+ −
are in the business of stealing cars. What attack would+ −
be easier to perform if the lights do not flash?)+ −
%Should the car also make a ``beep noise'' when it+ −
%unlocks the doors? Which threat could be thwarted+ −
%by that?+ −
+ −
\item And another one: A water company installed devices that+ −
transmit meter readings when their company car drives+ −
by. How can this transmitted data be abused, if not+ −
properly encrypted? If you identified an abuse, then how+ −
would you encrypt the data so that such an abuse is+ −
prevented. Hint: Consider the fact that every person+ −
uses approximately 120l of water every day.+ −
+ −
%\item And another one: Nowadays everybody and their+ −
% grandmother seems to be scared about a bomb going off at+ −
% a big event, say a football game. To mitigate such a+ −
% threat, you order expensive metal detectors and hire a+ −
% security team that will staff these detectors at each+ −
% game. Think whether people are really safer at a+ −
% football game with metal detectors or not. Hint: People+ −
% certainly might *\emph{feel}* safer by going through+ −
% metal detectors, but the question is whether they+ −
% *\emph{are}* safer. Hint: Consider how people arrive at+ −
% such an event: within a relative short amount of time,+ −
% thousands, if not more, spectators will arrive at your+ −
% football game.+ −
+ −
%% CYA security - cover-your-ass+ −
% It's an attitude I've seen before: "Something must + −
% be done. This is something. Therefore, we must do it." + −
% Never mind if the something makes any sense or not.+ −
+ −
+ −
+ −
+ −
%\item Imagine there was recently a break in where computer criminals+ −
% stole a large password database containing + −
+ −
\item Explain what hashes and salts are. Describe how they can be used+ −
for ensuring data integrity and storing password information.+ −
+ −
\item What is the difference between a brute force attack and a + −
dictionary attack on passwords? + −
+ −
\item Even good passwords consisting of 8 characters, can be+ −
broken in around 50 days (obviously this time varies a+ −
lot and also gets shorter and shorter over time). Do you+ −
think it is good policy to require users to change their+ −
password every 3 months (as King's did until recently)?+ −
Under which circumstance should users be required to+ −
change their password?+ −
+ −
\item The biggest dictionary for dictionary attacks I know+ −
contains 15 Billion entries. If you try out all of these+ −
15 Billion entries in order to hack one password how+ −
much percent of the full brute-force space did you+ −
cover? For this assume passwords use 62 charcaters and+ −
are typically 8 characters long.+ −
+ −
\item What are good uses of cookies (that is browser cookies)?+ −
+ −
\item Why is making bank customers liable for financial fraud a bad+ −
design choice for credit card payments?+ −
+ −
\item \POSTSCRIPT+ −
\end{enumerate}+ −
+ −
\end{document}+ −
+ −
%%% Local Variables: + −
%%% mode: latex+ −
%%% TeX-master: t+ −
%%% End: + −