Homework #3

Deadline: December 1st (the solution has to be submitted before Monday)

Recommended reading

• Authentication
  • The secret to online safety: Lies, random characters, and a password manager
  • Man in the Browser Attack vs. Two Factor Authentication
  • Two Factor Auth List
• Attacks
  • CSRF DEMYSTIFIED
• Wifi
  • How to stay secure on public Wi-Fi

Written tasks

Authentication

1. Briefly answer the following two questions. Why might third party authetication provider (e.g., OAuth with OpenID connect) increase the security level of the service provider? How can third party authetication provider increase the security level for the client? (1p)
2. How would it be possible to attack a two-factor authentication system of a bank that consists of a password and a PIN calculator? Give a brief step-by-step description of the attack, which is written down as a ordered list of steps.
   
   Restrictions:The attacker is not able to attack the bank and not able to get access to the PIN calculator but might be able to message the user or infect the computer. You will not get full points for a vague answer, the steps for the successful attack have to be clearly stated. Hint: see recommended reading. (2p)

Web attacks

1. Answer the following questions very briefly with your own words (no copying):
   1. How can a service provider prevent cross-site scripting attacks? (0.5p)
   2. How can a service provider prevent cross-site request forgery attacks? (0.5p)
   3. What should the client do in order to prevent becoming the victim of cross-site scripting attacks? (0.5p)
   4. What should the client do in order to prevent becoming the victim of cross-site request forgery attacks? (0.5p)

Technical attacks

1. Why might some countries prohibit the usage of foreign antivirus software? Discuss: what is the reasoning for that regarding security and the configuration of the antivirus software? (1p)
2. Write a summary about real cyber attack or a series of attacks. You may not choose Stuxnet, as this was covered in the lecture. For finding an attack: use google or search for attacks from our list of news (including previous semesters). (2p)
   
   First, give an overview of what happened and when it happened. Who or what was the target of the attack and which vulnerabilities were exploited? What was the motivation behind the attack and was it successful? How much damage was done to the target? If possible, find out who was behind the attack and how did the attacker get detected or caught? Did the victim do anything to protect himself/herself against a similar attack in the future.
   
   Write the summary on your own without copying text such that the reader would be able to understand what happened without using any additional sources.
   
   A good summary is nicely structured and written in decent English. While writing the summary, keep in mind your colleague who may not be so technically inclined, i.e. give an overview of the necessary background and explain technical terms that were not covered in this course and that are not commonly known. You should include (and cite!) more than one independent sources.

Wireless security

1. We know that mobile communication is (almost always) encrypted. However, it is known that with a programmable radio and special software it might be possible to intercept and decrypt some phone calls. Is it possible to use the smartphone such that one would not have to worry about interception & eavesdropping of calls? You can assume that the user is aware of the best practices. Put yourself in the position of an advanced attacker. Discuss and write down different reasons why this would or would not be possible. You will have to provide reasoning for your answer! You will lose points for each claim that can be refuted. (2p)

KeePassXC task and the hash breaking task

1. The corresponding tasks are in the bottom of this page. The solutions for the KeePassXC task and for the hash breaking task have to be submitted to their own submission form which can be found from the bottom of this web page.

Submission form for the written tasks

The solution should be submitted through this website. The solution can be submitted once you have logged in with the university credentials. We accept solutions only in .pdf format if it is not stated otherwise in the homework task. The solutions of the practical tasks have to submitted separately to their corresponding input forms (see below).

We would like to get feedback about the difficulty of the homework and therefore we would kindly ask you to write in the comments box an estimate of how much time it took to solve the homework tasks.

3. 3. Homework (in PDF format)

Practical tasks

Hash breaking task

Each student has a pseudonym for the information security course in this web site. The pseudonym was randomly connected to a hash value. Your task if to find the input that gave he hash value that is connected with your pseudonym and also the name of the hash function which was used to create that hash value.

This task illustrates why passwords have to be hashed and salted when stored in a database. The list of hashes for this task can be found from here: hash values and pseudonyms. (1p)

 Hints and suggestions:

• You do not need any additional software to solve this task. You do not have to break that hash value on your own. However, you will have to find other means to find the input. Think back to the authentication lecture and try to remember what the attackers are doing if a database is breached and no salting was used.
• Make sure that you will be using the hash value that was assigned to your pseudonym. The solutions are graded automatically, which means that if you solve the wrong hash value then you will get 0 points.
• Information about the common hash functions (e.g., the length of the hash value) can be found from the following Wikipedia page: List of cryptographic hash functions
• Hash values are usually encoded using hex. In case the length of the hash is known (in number of bits), then it is easy to find its length in hex. To do that, one has to divide the number of bits with eight (to get the number of bytes) and then multiply the result with two (to represent one byte two hex symbols are required).
• You may need to use a search engine to find the solution. Thus, it is good to know some tricks that helps you to find exact matches for your queries: Google Search Tips You'll Want to Learn

The solution has to be in a simple text file (with .txt extension, not in a .docx file!!!) that contains only two rows. The first row must only contain the found input value. The second row must only contain the name of the hash function. In case you add any additional information or do not use the required file type or file format then the automatic grading script can give you 0 points. In case you are using Windows then you can create a simple text file with the software Notepad. 9. Hash value and hash function name (in .txt file)

KeePassXC task

Use KeePassXC to create a password database and submit this database (.kdbx file) below. You will find some background information from the lecture notes. The following guide can also help to solve the task: How to: Use KeePassXC. (2p)

The solution will have to follow the following guidelines:

• The master password for the database has to be infsec (in lowercase). This is deliberately too short to make verifying the solutions easier. You will get 0 points if a different master password is used.
• Enter a new row / entry to the database. The entry's name (title) must be your full name and username must be your study book number.
• Password must be randomly generated and 32 characters long. It should include characters from at least these classes: lower and upper case letters, numbers.

8. KeePassXC file (.kdbx)