CS-C3130 Information security Examination 2016-10-27 SOLUTIONS Lecturer: Tuomas Aura

No electronic equipment or reference material is allowed in the examination.

Advice: Because of the large number of students, the exam questions this year may appear quite short and simple. Relatively short solutions are sufficient, but that means you should think extra carefully about them.

1. Payment systems

In addition to the card number, credit and debit cards have a short security code printed on the card. It is 3-4 digits long and often printed on the back of the card next to the cardholder signature panel. The code has many names, for example CVC2 in MasterCard and CVV2 in Visa. These codes have been added to credit and debit cards after the year 1997. Explain in detail the purpose and working principles of this this feature.

Solution outline (best if written into full sentences):

 CVV2 is an additional customer authentication mechanism  It is used for cardholder-not-present transactions o Typically used on the web and phone shopping o Replaces the PIN for authentication where chip and PIN cannot be used  Merchant verifies the correctness of the code online from the issuer o through the Visa or MasterCard network o Merchant is not allowed to store the code in a database with other credit card details  Goal: to reduce misuse of stolen credit card numbers o Prevents one kind of “” o Online merchant’s customer database may be compromised, e.g. by SQL injection attack, but CVV2 cannot leak because it is not there o CVV2 is not on the mag stripe or chip, and thus mag stripe skimmers do not get the code o CVV2 is not embossed on the card, and thus won’t be imprinted on old-fashioned paper slips o User should not store CVV2 in phone-based or browser-based wallets, but that cannot be enforced  Code changes when card renewed, while the card number (PAN) does not  Less important notes: o CVV2 could also reduce the harm from customer account hijacking if asked for every transaction, but most online shops do not work this way o Printing the code on the backside hides it from shoulder surfing and one-sided photos of the card, but that is not essential (Amex has a similar code on the front)  Does not help against , corrupt merchants, copying by those who physically handle the card o If the code is leaked, the card has to be replaced

2. Access control

Carol is the system administrator on the office Linux server, which has four users: the bosses Alice and Bob, and the development team A members Carol and David. Here is the output of the ls -l command on a folder on the computer:

-rw------1 david teama 18378002 27 Oct 03:11 code.zip -rw-r----- 1 alice teama 8943593 27 Oct 03:02 spec.doc -r--r----- 1 bob bosses 288431 10 Jul 2015 synergy.pptx -rw----r-- 1 alice bosses 20322136 21 Jun 05:06 yacht.jpg

Problem: Show the protection state for the above objects in the form of an access control matrix. If your solution matrix does not give a complete picture, add an explanation.

Solution:

code.zip spec.doc synergy.pptx yacht.jpg alice - rw r rw bob - - rw (3) - (1) carol (2) rw rw rw rw david rw r - r

Explanations: (1) Group permissions override the world permissions when the user belongs to the group. (2) Administrator can gain access with sudo or logging in as root. (This can in the matrix or as a separate note.) (3) The owner of a file can change the permissions. (This can be in the matrix or as a separate note.)

3. Data encryption

Every morning after arriving at the factory, Alice logs into her Windows workstation with her username and password. She then works on her secret product-plan documents, which are encrypted with the Encrypting File System (EFS). In the evening, she logs off and goes home. Bob, the industrial spy, has infiltrated Alice’s company as a sanitation consultant. What different ways does Bob have for getting access to Alice’s secret documents?

Solution outline (best if written into full sentences):

 Bob probably prefers attack methods that go unnoticed. As a hired consultant (or cleaner), he may be able to roam around the building freely. Sorry about the confusing joke but “sanitation consultant” is more likely to work on toilet hygiene than on IT services, and certainly not on data sanitization.  User login credential, typically a password, is the per-user master secret in EFS. o The keys are not on the computer in the night when Alice as logged off. o Password reset won’t help.  Ways of getting the password: o shoulder surfing o installing a key logger or camera o copying the cached passwords from the hard drive at night and cracking offline o tricking Alice to log in on another, compromised computer that logs the credentials o Alice may have used use the same or similar password in other services.  Ways of getting the decryption keys (without password): o DMA attacks may be able to recover the keys the memory, but require Bob to install a specialized hardware device to a bus inside the PC (or on Thunderbolt port). o Cold boot of locked machine when Alice is on a break and has locked the screen might also recover the keys from memory. o Hibernation file is a memory dump and thus may contain the keys, but only if hibernation is enabled on the computer and no disk encryption such as BitLocker is in use.  Ways of accessing the data directly (without password): o Alice might leave the workstation unlocked e.g. during lunch, and Bob can just walk in and access the data. o Trojan/rootkit/ can be installed on computer directly in the night, e.g. by editing the disk contents or resetting the admin password. This is possible because EFS does not protect the integrity of the system files. However, this requires great skill to avoid detection and system failures. o Bob could plug in the malicious USB stick and hope that Alice logs in without noticing it. He could also leave the USB stick lying around and hope that Alice checks it out. A purpose-built malicious USB device can send malicious input to the computer e.g. to install the Trojan with Alice’s rights.  Minor data leaks: o temp files possibly not encrypted by EFS o file and folder names leak some information in EFS o print spool, or printouts lying on her desk o watching while Alice works on the documents  Misuse of failure recovery mechanisms: o Bob could add himself as a data recovery agent. For example, he could reset a local Admin password, log in as the admin, and modify the recovery agent settings. o Bob could learn the location of backups (may be encrypted depending on the backup mechanism) and cloud copies of the data (always plaintext). o Bob may find the EFS key backup printout or USB stick in Alice’s office, or her pw on a yellow sticker or in a notebook. o Windows domain admins act as the default recovery agents, so a successful hacking of the domain admin accounts or social engineering can also lead to recovery of Alice’s EFS keys.  Human attacks o social engineering against Alice: love, blackmain etc. o social engineering against IT support  In addition to recovering the password or decryption key, Bob needs to exfiltrate the data. o Bob can copy the disk at night and decrypt the files later. o Malware can upload files to cloud.

4. User authentication

Acme Inc. has created a cloud-based online service where the users can register and set up a username and password. So far, they have one million registers users. The passwords are machine-generated random 12- character strings with the following character set:

0123 4567 89bc dfgh jklm npqr stvw xz+#

The passwords are stored as hash values that are truncated to 128 bits:

hash = truncate(SHA-256(password), 128)

Sadly, the password database has leaked to the deep web where Wile E., a notorious hacker, has found them, and he now plans to do some brute-force cracking.

a) How much does it cost for the attacker to crack the password of the user rrunner? b) How much does it cost for the attacker to crack all the passwords? c) How can the security of the passwords storage be improved for the future without incurring significant costs? How would your solution change the answers to parts (a) and (b)?

Since no pocket calculator is available, an approximate answer for is sufficient parts (a) and (b), but please show the intermediate steps of your calculations. Useful data: A high-performance GPU can compute 1000 million SHA-256 hash values per second. One GPU day costs about $1 considering that the price of the GPU is spread over a three-year lifetime. One day is 86400 seconds.

Solution outline

Since the passwords are random, brute-force cracking is the best attack. The hash is pretty long, so that precomputation is not feasible and collisions are too rare to be taken into account.

a) One user’s password: o 32^12 = 2^60 = (2^5)^12 ≈ 10^18 hash values (or half of this) o 10^18 / 10^9 = 10^9 ≈ 2^30 seconds o 1 day = 86400 seconds o 10^9 / 86400 ≈ 11574 GPU days = $11574 o Approximation: 10^9 / 86400 ≈ 10^9/10^5 = 10000 GPU days = $10000 o On average 50% of the above, i.e. $5000 b) All users costs the same as (a) but must try all the passwords: $10000 c) Basic solution: . per-user random salt prevents cracking multiple passwords at the same time (a) no change: $5000 (b) the above multiplied by the number of users: $5 billion . slow iterated hash like PBKDF2  constant factor cost increase, e.g. 1000x . larger character set: 64 characters instead of 32 gives one extra bit per character o Other possible ideas: . maybe also longer password but it is already pretty long . include secret key into the hash and store it outside the database . store the secret key in a hardware module

The calculations can also be done in powers of two. 5. Online

Explain what is the most likely purpose behind the following emails if they appear in your inbox:

a) From: Chase Bank Online Subject: Important message about your account

b) From: U.N. Relief Commission Subject: Awarded donation funds

c) From: Roger Baker Subject: Work from home earn $500 a week as financial transaction processor

d) From: Tuomas Aura Subject: FW: FW: Laughed my ass off when I opened this file

e) From: Virtanen Pekka Subject: Security bulletin 27.10.2016 - ransomware malware!

f) From: Anna Subject: Looking for romance, eagerly waiting your answer

Solution:

a) Phishing for bank credentials: The user should log into the online bank to read the “important message”. However, the message includes a link to a fake site that collects the bank login credentials. The email was mass-mailed to everyone, but obviously only those who are Chase customers would be fooled. (Copied from one of the early phishing campaigns.) b) Advance fee (419) fraud: A greedy recipients may think that U.N. mistakenly wants to give them money. The sender will milk them for transaction fees, facilitation payments etc. Not many in Finland would fall for this, but rich refugees or people who believe in U.N. incompetence might. (This is not a charity scam because you are awarded money, not asked to donate.) c) recruiting: You would be helping in money laundering. They may ask you to receive payments, e.g. Paypal payments with stolen credit card numbers or drug sales with Bitcoin, and forward them to a foreign account. More likely, they will ask you to give your bank credentials to them for this purpose, or to open a new bank account. Naturally, the police will soon knock on your door and not theirs. (If you ignore the words “transaction processing”, the subject line also resembles spam about pyramid schemes, network marketing, and fake online courses that promise high earnings.) d) Email worm or spear phishing: This could be an email worm that exploits some software vulnerability or the user’s carelessness and forwards itself to all addresses in your address book. These days, it is more likely to be a targeted attack against you or your organization. In that case, the email has been spoofed with a familiar sender name and innocuous subject line, but it contains a malicious attachment. The attached file could be a zipped executable. If you are a high-value target, it may be even be a zero-day exploit against the PDF, video or image viewer. The attacker’s goal is to infect your computer and exfiltrate your data, or to gain a foothold in the organization’s IT system. e) Legitimate warning: This is an actual warning email sent by Aalto IT. Better take a look. However, you should watch out for clever scam emails that masquerade as legitimate warnings. Thus, if there is a link to malware removal or protection software, it might actually install the malware. f) Advertisement for a dating service, or another advance fee fraud (also called 419, Russian bride scam, Nigerian prince scam): If there is a link to a dating service, they will ask for a payment before you can respond to the message. If it is just an email and you respond, you will be lured to a “relationship” with a fictional person who will then need your financial assistance. You will be milked for money as long as you send them any.