Institute of Computer Science
  1. Courses
  2. 2024/25 fall
  3. Information Security (MTAT.07.028)
ET
Log in

Information Security 2024/25 fall

  • Home
  • Lectures & labs
  • Homework & course rules
  • Terminology
  • Exam
  • Links

Homework #1 (15p)

Table of contents

  • Recommended reading
  • Written tasks (8p)
    • Submission form
  • Practice session tasks (7p)
    • EXIF metadata
    • Data recovery
    • VeraCrypt container
    • Encrypted zip file



Deadline: October 13th. The deadline is the same for the solutions of written tasks and practical tasks.

Recommended reading

  • Introduction to Randomness and Random Numbers
  • Random vs. Pseudorandom Number Generators
  • Why secure systems require random numbers
  • How to: Delete Your Data Securely on Windows

Written tasks

Encryption

  1. Read about random numbers from the links above and answer the following questions. Format the answers in a numbered list, such that the answer for each subquestion does not exceed two sentences.
    • Why is randomness relevant when using encryption (be specific)? (0.5p)
    • Why are many software applications using pseudorandom number generators instead of using true random numbers? (0.5p)

Secure deletion & Hidden data

  1. What would be the fastest way to wipe (make the data unrecoverable) an encrypted drive? It is not allowed to physically break or damage the drive. You can assume that the algorithm that is used to encrypt the drive is secure and can not be broken and that there are no backups for the data and for the key. Hint: What is normally needed to decrypt the drive? (1p)

Privacy and anonymity

  1. Use Tor Browser to visit a hidden service at http://yoww5eeifvhavyzyz7ttpuyl5o7lodauguirwpknuzcs2mihkrzgg3ad.onion/. The link does not work with regular browsers. If the page does not load, make sure that the link begins with http instead of https. You will have to register yourself in order to get the point. Hint: you will need to use the Tor browser to access this link. (1p)
  2. Visit https://infsec.cs.ut.ee/cookies/ and follow the instructions. You have to find a specific cookie in your web browser and copy its contents into a form on that site. (1p)
  3. Lets assume that there is no encryption used between the web browser and the web server when the browser runs in a normal mode. Using this information, briefly discuss what are the technical/cryptographic reasons why the browser in private mode can not encrypt the connection between the browser and the same website. We expect a technical/cryptographic reason, saying that this is not the functionality of private mode is not sufficient. Hint: what is needed to use encryption? (1p)
  4. Read one of the papers from the list below and answer the following questions. Format the answers so that it is clear, which question is answered. The person reading the answer should understand it even without reading the corresponding paper.
    • The first task is to write a one paragraph summary, which describes the main idea or contribution of the paper.
    • The second task is to bring out and briefly describe two aspects that seemed most important to you in this paper. The latter has to be presented as a list.
    • The third task is to add your own opinion / discussion to these aspects. (3p)
    1. I never signed up for this! Privacy implications of email tracking (2018)
    2. Third Party Tracking in the Mobile Ecosystem (2018)
    3. Good News for People Who Love Bad News: Centralization, Privacy, and Transparency on US News Sites (2019)
    4. Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset (2020)
    5. The CNAME of the Game: Large-scale Analysis of DNS-based Tracking Evasion (2021)
    6. Bugs in our Pockets: The Risks of Client-Side Scanning (2021)
    7. Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States (2021)
    8. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors (2021)
    9. Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps (2022)
    10. Blocking JavaScript without Breaking the Web: An Empirical Investigation (2023)
    11. The Devil is in the Details: Detection, Measurement and Lawfulness of Server-Side Tracking on the Web (2024)

Submission form for the written tasks

The solution has to be submitted through this website. The solution can be submitted once you have logged in with the university credentials. We accept solutions only in .pdf format if it is not stated otherwise in the homework task. The solutions of the practical tasks have to submitted separately to their corresponding input forms (see below).

We would like to get feedback about the difficulty of the homework and therefore we would kindly ask you to write in the comments box an estimate of how much time it took to solve the homework tasks.

You must be logged in and registered to the course in order to submit solutions.

Practice session tasks

The following tasks are supposed to be solved in the first lab. If you did not attend the lab, you will have to solve these tasks on your own.

EXIF metadata

The task is to use exiftool to view EXIF metadata included in photos.

Download one image from the list of sample files and follow the instructions. (2p)

  1. View metadata.
  2. Try to validate whether the GPS coordinates are valid and match the contents of the photo.
  3. Remove the metadata from this image.
  4. Use exiftool to check that the metadata was removed/cleaned.
  5. Edit the metadata according the following instructions.
    1. Right click the image and select Properties -> Details.
    2. Find the field with the label Author and enter your pseodunym for the information security course. You can find your pseudonym from the top right corner of this page by viewing your profile (this requires that you are logged in). Pseodunym has to be valid, as this is used to grade the solution.
    3. Click Apply and OK.
    4. Use exiftool to check that the metadata has been modified according to the instructions. If this is the case, submit the file as a solution.
You must be logged in and registered to the course in order to submit solutions.

Data recovery

Recover the data from a virtual hard drive, the name of the virtual drive is "Virtual USB". If you already submitted the solution in the lab then you do not need to resubmit it. (1p)

Upload the recovered image. Modify the metadata according to the lab instructions: edit the meta-data of the file by writing your pseudonym into the Tags field. Submit the picture as part of your homework solution.

This task can only be solved during the practice session(s). If you missed the lab and can not use the provided virtual machine, try to recover deleted files from your own computer. You can choose, which kind of software to use (lab notes contain instructions for Windows operating system). If you solve the task on your own, submit a screenshot of the software, which shows the recovered file (the filename can be blurred). The screenshot must contain your full name, date, time.

You must be logged in and registered to the course in order to submit solutions.

VeraCrypt container

Create an encrypted file container with VeraCrypt and submit it as part of the homework. Follow the instructions in the lab session page on how to install and use VeraCrypt. If you already submitted the solution in the lab then you do not need to resubmit it. (2p)

  • The container itself should be small (500 kB)
  • The password must be "security24" (written in lowercase and without quotes)
  • Create a text (.txt) file in the container that has your surname as filename, e.g. Krips.txt. The file content is not important.
  • Make sure that you are able to mount the container with the correct password and then submit the VeraCrypt container as a solution. To upload the container you will first have to dismount it.
You must be logged in and registered to the course in order to submit solutions.

Encrypted zip file

Encrypt a file with 7-Zip and submit it as a solution to this task. You must follow the requirements that are described below in order to get full points. More detailed instructions are available on the lab page.

The submissions are graded automatically, which means that in case the requirements are not followed you may get 0 points. If you already submitted the solution in the lab then you do not need to resubmit it. (2p)

  • There has to be one text file (.txt format, not .docx, not .pdf, etc.) in the zip container. The name of the zip file has to be your family name, for example Krips.txt. In the first row of the text file has to be your pseudonym, which you can find under you courses.cs.ut.ee profile (log in to find your profile from the top right corner of the page).
  • Thus, the zip file has to be small (less than 500 kB)
  • The password has to be "123456789" (written without the quotes). In case the zip file does not decrypt with the password 123456789, the grading system will automatically assign 0 points for this task.
You must be logged in and registered to the course in order to submit solutions.
  • Institute of Computer Science
  • Faculty of Science and Technology
  • University of Tartu
In case of technical problems or questions write to:

Contact the course organizers with the organizational and course content questions.
The proprietary copyrights of educational materials belong to the University of Tartu. The use of educational materials is permitted for the purposes and under the conditions provided for in the copyright law for the free use of a work. When using educational materials, the user is obligated to give credit to the author of the educational materials.
The use of educational materials for other purposes is allowed only with the prior written consent of the University of Tartu.
Terms of use for the Courses environment