\documentclass{article}
\usepackage{../style}
\begin{document}
\section*{Homework 1}
\HEADER
\begin{enumerate}
\item {\bf (Optional)} If you want to have a look at the code
presented in the lectures, install \texttt{Node.js} available (for free) from
\begin{center}
\url{http://nodejs.org}
\end{center}
It needs also the Node-packages Express, Cookie-Parser,
Body-Parser and Crypto. They can be easily installed using the
Node package manager \texttt{npm}.
\item Practice thinking like an attacker. Assume the following situation:
\begin{quote}\it
Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip
\noindent
\begin{tabular}{@ {}l}
Write the first 100 digits of pi:\\
3.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
\end{tabular}
\end{quote}
\noindent
Think of ways how you can cheat in this exam? How would you defend
against such cheats.
\item Here is another puzzle where you can practice thinking
like an attacker: Consider modern car keys. They
wirelessly open and close the central locking system of
the car. Whenever you lock the car, the car ``responds''
by flashing the indicator lights. Can you think of a
security relevant purpose for that? (Hint: Imagine you
are in the business of stealing cars. What attack would
be easier to perform if the lights do not flash?)
%Should the car also make a ``beep noise'' when it
%unlocks the doors? Which threat could be thwarted
%by that?
\item And another one: A water company installed devices that
transmit meter readings when their company car drives
by. How can this transmitted data be abused, if not
properly encrypted? If you identified an abuse, then how
would you encrypt the data so that such an abuse is
prevented. Hint: Consider the fact that every person
uses approximately 120l of water every day.
%\item And another one: Nowadays everybody and their
% grandmother seems to be scared about a bomb going off at
% a big event, say a football game. To mitigate such a
% threat, you order expensive metal detectors and hire a
% security team that will staff these detectors at each
% game. Think whether people are really safer at a
% football game with metal detectors or not. Hint: People
% certainly might *\emph{feel}* safer by going through
% metal detectors, but the question is whether they
% *\emph{are}* safer. Hint: Consider how people arrive at
% such an event: within a relative short amount of time,
% thousands, if not more, spectators will arrive at your
% football game.
%% CYA security - cover-your-ass
% It's an attitude I've seen before: "Something must
% be done. This is something. Therefore, we must do it."
% Never mind if the something makes any sense or not.
%\item Imagine there was recently a break in where computer criminals
% stole a large password database containing
\item Explain what hashes and salts are. Describe how they can be used
for ensuring data integrity and storing password information.
\item What is the difference between a brute force attack and a
dictionary attack on passwords?
\item Even good passwords consisting of 8 characters, can be
broken in around 50 days (obviously this time varies a
lot and also gets shorter and shorter over time). Do you
think it is good policy to require users to change their
password every 3 months (as King's did until recently)?
Under which circumstance should users be required to
change their password?
\item The biggest dictionary for dictionary attacks I know
contains 15 Billion entries. If you try out all of these
15 Billion entries in order to hack one password how
much percent of the full brute-force space did you
cover? For this assume passwords use 62 charcaters and
are typically 8 characters long.
\item What are good uses of cookies (that is browser cookies)?
\item Why is making bank customers liable for financial fraud a bad
design choice for credit card payments?
\item \POSTSCRIPT
\end{enumerate}
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End: