CSEC3616— S2 2022
Assignment - 1
This is a group assignment.
This assignment worths 10% of the final marks of the course.
For questions 10, 11, and 12 additional scripts/code templates are provided.
Submit your final report as a PDF and codes as a zip file in Canvas.
You should explain any details of how to run your code in report.
Final Report + Code: Due by Week 7, Sunday the 18th of September, 11:59 PM
1 Safety and security (5 marks)
Safety Engineering and Security Engineering are related. Explain the similarities and differences
between the two fields, and decribe the aspects that absolutely refer to security engineering (provide
brief explanation and give one example scenario for each area).
2 Securing a start-up (8 marks)
You are the new Security Engineering Manager at a start-up that provides data analytics servies to
Telecommunications Service Providers. Major telecommunication service providers take your services
to develop churn prediction models, usage pattern analysis, and develop service plans. This means
they are sharing their customer data directly with you. As a start-up,not much effort has been put
into security engineering, and it is your task to define and enhance the overall system security.
Explain a framework which you can follow to get things started. For each component of the
framework, give at least two examples that are applicable to this start-up. (2 marks)
b) Assume one of your clients is British Telecom (BT). BT plans to share their client’s data
with your company to develop statistical models for churn prediction. However, first they need
to know if your company can meet some security goals. Breifly explain three security goals that
can assure to keep BT’s data safe. (3 marks)
For each security goal, state incentives against which you intend to defend. Brief explanations
are recommended. (3 marks)
3 A common problem (12 marks)
The following is a story from the book The art of deception by Kevin Mitnick.1 We modified it
slightly for this assignment. Please read carefully through the text and then go through the following
questions.
1If you want to gain a deeper understanding of human psychology and how it can be exploited, this is definitely a book
you want to read. It is available online via our library.
1
Rosemary Morgan was delighted with her new job. She had never worked for a magazine
before and was finding the people much friendlier than she expected, a surprise because
of the never-ending pressure most of the staff was always under to get yet another issue
finished by the monthly deadline. The call she received one Thursday morning reconfirmed
that impression of friendliness.
‘Is that Rosemary Morgan?’
‘Yes.’
‘Hi, Rosemary. This is Bill Jorday, with the Information Security group.’
‘Yes?’
‘Has anyone from our department discussed best security practices with you?’
‘I don’t think so.’
‘Well, let’s see. For starters, we don’t allow anybody to install software brought in from
outside the company. That’s because we don’t want any liability for unlicensed use of
software. And to avoid any problems with software that might have a worm or a virus.’
‘Okay.’
‘Are you aware of our email policies?’
‘No.’
‘What’s your current email address?’
‘Rosemary@ttrzine.net.’
‘Do you sign in under the username Rosemary?’
‘No, it’s R-underscore-Morgan.’
‘Right. We like to make all our new employees aware that it can be dangerous to open any
email attachment you aren’t expecting. Lots of viruses and worms get sent around and
they come in emails that seem to be from people you know. So if you get an email with an
attachment you weren’t expecting you should always check to be sure the person listed as
sender really did send you the message. You understand?’
‘Yes, I’ve heard about that.’
‘Good. And our policy is that you change your password every ninety days. When did you
last change your password?’
‘I’ve only been here three weeks; I’m still using the one I first set.’
‘Okay, that’s fine. You can wait the rest of the ninety days. But we need to be sure people
are using passwords that aren’t too easy to guess. Are you using a password that consists
of both letters and numbers?’
‘No.’
‘We need to fix that. What password are you using now?’
‘It’s my daughter’s name.’
‘That’s really not a secure password. You should never choose a password that’s based on
family information. Well, let’s see . . . you could do the same thing I do. It’s okay to use
what you’re using now as the first part of the password, but then each time you change it,
add a number for the current month.’
‘Oh. OK.’
‘Great. Do you want me to walk you through how to make the change?’
2
‘No, I know how.’
‘Very good. Well, it’s been nice talking to you. Have a great day.’
‘Thanks, you too.’
She went back to work, once again pleased at how well taken care of she felt.
a) The attack (6 marks)
Give two security-relevant pieces of information that the attacker extracted. (2 marks)
Which human weaknesses did the attacker exploit? Say why. (3 marks)
The attacker did not manage to get all information they wanted—namely the password. How can
they possibly still get that piece of information without resorting to trying out all possibilities?
(1 mark)
b) Policy, our old friend (3 marks)
The password policy the attacker states is actually still very common (especially in Australia).
Argue: why is it not a good policy? Give two reasons.
c) The aftermath (3 marks)
Let us assume that this story continues. The attacker was ultimately successful in breaking into the
system. Rosemary’s boss berates her, stating that she was told in her induction that she must read
the security policy (she didn’t).
The boss’s argument is unrealistic. What does evidence tell us? (1 mark)
The attack could have been thwarted by Rosemary in simple ways, had she been trained properly
by the company. Give one non-technical defence. (1 mark)
Give Rosemary advice how to choose a better password. (1 mark)
4 Privacy warnings (5 marks)
As a results of privacy legislation changes globally, a large number of websites now dispaly ‘cookie
warnings’—pop-ups that inform the user that the site will set a cookie. Figure 1 shows the pop-up
displayed at https://www.nature.com/.
Considering what you know about human decision-making, argue whether this is an effective
way to get user approval. Be brief. (1 mark)
Figure 2 shows another cookie notfication taken from https://www2.deloitte.com/. Compared to
Figure 1 discuss whether this is a better or a worse design. (1 mark)
Explain why the approach is not used by many websites. (1 mark)
Discuss: can cookie notifications be exploited by attackers? 1-2 sentences are enough. (2 marks)
3
Figure 1: The cookie warning by https://www.nature.com/.
Figure 2: The cookie warning by https://www2.deloitte.com/.
4
Figure 3: A phishing SMS received by ANZ customers
5 Phishing in banking (6 marks)
Figure 3 shows a suspected phishing text message appears to be from ANZ bank. The inbox has all
previous legitimate messages from the ANZ bank’s phone number. The users were confused about
whether this actually came from ANZ or not, ANZ then sent a confirmed text message the next day
that said it was a phishing text message. However, many users might be exposed to this attack before
ANZ confirms that phishing text message.
State two weaknesses of the human mind that the design of this email targets, and give an
example from the email for each. (2 marks)
One major difference in this attack compared to other phishing attacks is that the phone has
somehow placed the phishing message to the previous legitimate message thread between the
bank and the customer. Explain possible ways of how an attacker can do this? (2 marks)
Explain at least one way to defend against this type of attack for both technical and non-technical
people. (2 marks)
6 Evaluating a Bell-LaPadula-based security policy (10 marks)
We evaluate a security policy here that tries to implement a form of Bell-LaPadula model. Table 1
shows the so-called Access Matrix, with each column defining an Access Control List (ACL). R stands
for read, X for execute (implies read), A for append (implies write), W for write. Please read the
matrix as: if no rule is defined for a combination of subject and object in there, then the rules in the
other tables govern access.
The principals are Arthur, Bertie, Denver, Donald, Dylan, and Kelly; plus the programs beetle,
mspaint, and time. beetle is a game that stores its savegames in /tmp, mspaint is a drawing program
that saves its pictures in /tmp, and time is used to run any other program at a particular time.
5
beetle.exe /tmp missile_codes.rar mspaint.exe transfers.csv
Bertie X A X A
Arthur R RW A X A
Denver X X R
Kelly R RW
Donald R RA
Dylan RA R X R
time.exe X R X
Table 1: Access control matrix.
There are also definitions based on clearance levels, which are to be interpreted according to the rules
of Bell-LaPadula. Each resource may be tagged with the markers PROTECTED, SECRET, TOP SECRET
(in rising order of clearance).
We finally extend this with caveat rules, of which there is only one: AUSTEO means something is for
Australian Eyes Only. Table 2 shows the clearance level and principals holding a certain level, and
Table 3 shows the allocations.
In order to be allowed access to an object, all rules defined in the three tables must be fulfilled.
Clearances Accessible Resources People
Baseline Vetting ≤ PROTECTED Arthur
Negative Vetting 1 ≤ SECRET Bertie, Kelly, time.exe
Negative Vetting 2 ≤ TOP SECRET Dylan, Denver
Positive Vetting ≤ TOP SECRET + AUSTEO Donald
Table 2: Clearance levels principals holding clearance.
Tag. . . marks. . .
PROTECTED /tmp, transfers.csv
SECRET beetle.exe
TOP SECRET missile_codes.rar, mspaint.exe
AUSTEO missile_codes.rar
Table 3: Tags and marking.
a) Access Control (2 marks)
What form of Access Control is implemented by Table Say why. (1 mark)
What form of Access Control is implemented by Tables 2 and 3? Say why. (1 mark)
b) Rule consistency (6 marks)
6
Are the rules in the tables consistent with each other? If not, which definitions in the ACL collide
with the definitions via the clearance levels? Say why for credit.
c) Malicious operatives (2 marks)
Kelly is the accountant. Is there anything stopping her from ‘cooking the books’, i.e., forging
transfers? Why? (1 mark)
Dylan is a beetle.exe addict and has had his permissions revoked. Can you find a way for him
to get his fix? (1 mark)
7 Access control and Operating Systems (12 marks)
A few questions about access control and Operating Systems:
a) OSes in general (2 marks)
Can Operating Systems provide access control without having to rely on the hardware? Why?
(1 mark)
How do Operating Systems prevent an application from overwriting another application’s
memory? (1 mark)
b) Linux (3 marks)
Consider the Linux operating system and how it handles file permissions.
The mount command allows the Linux operating system to access additional block devices, this
includes things like USBs, additional hard disks, CD-ROMS or even iso images. What are the
permissions on this command? (1 mark)
? Write a script (using either Python or Bash) that would search the operating system and return
a list of all files with similar permissions that the current user has access to (No “Permission
Denied” strings in the output). Submit the script. Hint: if you attended the tutorial, this can
be a one-liner. (2 marks)
c) Windows (5 mark)
Figure 4 shows a dialogue of Windows 10. This is actually an implementation of a security model.
What model is implemented here? (1 mark)
Name the rules of the model that cause this dialogue to appear. (1 mark)
Look into what an autorun.inf file is.
How does a CD-ROM make use of an autorun.inf file? (1 mark)
Compare and contrast how Windows handles inserting a CD-ROM to how it handles the case
in Figure 4. (1 mark)
7
Figure 4: Dialogue from Windows 10.
Compare and contrast how Windows handles inserting a CD-ROM to how Linux handles
mounting a CD-ROM.(1 mark)
d) The USB key and virtualized OSes (2 marks)
Assume you find a USB key on the floor. You pick it up, but distrust it. You start a VM to inspect
its contents.
Explain by referring to virtualization as access control: does this protect you against all risks
involved by plugging in the USB key? Why? (2 marks)
8 Linux Privilege Escalation (6 marks)
When an attacker breaks into to a server, usually they initially get a least privilege shell/user access.
Next the attacker attempt to obtain a higher privilege shell like the root through multiple ways.
Conduct your own research and describe three methods attackers usually use for privilege escalation.
9 Breaking Diffie-Hellman (6 marks)
Alice and Bob use the (textbook) Diffie-Hellman scheme to establish a shared key KA,B over an an
insecure channel. We mentioned in the lesson that Diffie-Hellman is secure only against attackers
that are not able to modify messages in transit.
Find a way how an attacker (outside the Diffie-Hellman assumptions) can perform an attack against
the key establishment, such that they will be able to read every message that Alice and Bob send to
each other after the key exchange is complete.
Describe the basic idea (2 marks).
Write up the protocol flow (in the style as shown in the lecture), with the attacker breaking the
key establishment (2 marks).
Which key is Alice going to use? And which key is Bob going to use? (1 mark)
Show why the attacker can get the plaintext of every message Alice and Bob send after the
handshake (1 mark).
8
10 Hybrid cryptography in Python (10 marks)
In this task, you are going to implement hybrid crypto in Python. Let Alice and Bob be the ‘players’.
Fill in the provided skeleton code! Use pycryptodome.
The provided skeleton code will guide you through the task. You must:
Complete the class Principal (5 marks)
Complete the class HybridCipher (5 marks)
Complete the main() (2 marks)
Do not change the function signatures! Your task is to fill in the gaps, not write fresh code. In the
report explain your code and how to run it.
11 Cracking the code (10 marks)
You are an undercover agent who has infiltrated a terrorist group. You got access to the group’s
leader’s laptop and found a file named top_secret.txt. However, only group leader has the key to
decrpt the file. To avoid an imminent attack you have to decrypt the file top_secret.txt. Submit
your code and explanation of your attack methods to find the plaintext.
Please note the following.
Space character is not encrypted.
The length of the key is less than 10.
Hint. Use something similar to Kasiski’s analysis.
12 New encryption algorithm (10 marks)
Your friend (Alice) designed a new encryption algorithm. She sets the key size as 40 bits or 104 bits
key, and an initialization vector (IV) length of 24 bits. By adding the IV, the key size for her new
algorithm is now 64 bits or 128 bits which seems good. However, you attended INFO3616/CSEC3616
and believe that this is not a secure encryption algorithm. You can access your friend’s source code.
There is a csv file showing several data packets that were encrypted using the new algorithm. The
first 3 columns present values of 24-bit IV, and the 4th column shows the encrypted values (plaintext
was “aa”). Complete the sample code to recover the secret key and prove that she was wrong. Figure
5 shows how Alice’s algorithm works.
Hint: Focus on how the keystream was created and bitwise operation. Note that secret key (also
called rawkey in the code) and keystream are different.