Security Concepts & Legal Aspects

Question 1

Describe the essence of 202a

Answer 1

• obtains data
• that were not intended for him
• especially protected against unauthorised access

Question 2

Describe the essence of 202b

Answer 2

• intercepts data
• not intended for him
• non-public data transmission or from the electromagnetic broadcast

Question 3

Describe the essence of 202c

Answer 3

• prepares the commission

- an offence under section 202a or section 202b

Question 4

Describe the essence of 303a

Answer 4

• deletes, suppresses, renders unusable or alters data

- Section 202c shall apply mutatis mutandis

Question 5

What is the essence of 303b?

Answer 5

• interferes with data processing operations which are
  of substantial importance
  1. committing an offence under section 303a(1); or
  2. entering or transmitting data (section 202a) with the intention of causing damage to another; or
  3. destroying, damaging, rendering unusable, removing or altering a data processing system or a data carrier,

Question 6

What are the three security goals?

Answer 6

Confidentially, Integrity, Availability

Question 7

What is the purpose of Confidentiality?

Answer 7

• data confidentiality: no unauthorised party must have access to private or confidential data
• privacy: ensures that individuals can control which data related to them can be accessed/stored by other parties

Question 8

What is the purpose of Integrity?

Answer 8

• data integrity: ensures that data may only be changed in an intended and authorised manner
• system integrity: ensures that a system performs as intended, unimpaired from deliberate or inadvertent unauthorized manipulation

Question 9

What is the purpose of Availability?

Answer 9

Ensure that a system responds in a timely manner and that service can not be denied to authorized users
- in contrast to integrity, this does not imply that system returns unaltered information

Question 10

What Law?
Trying to log into HISPOS as Ben Stock to retrieve list of registered students
- Achieved by guessing the corresponding password, which is „1234“

Answer 10

criminal offence (under 202a)

Question 11

What Law?
A disgruntled administrator deletes access logs to remove his traces
from accessing a server room
- deleted important documents for sales department

Answer 11

criminal offence (under 􏰀303a)

Question 12

What Law?
Denial of Service attack
- Botnet used to make billions of requests to amazon.com - Given the high load, amazon.com is offline for 30 minutes

Answer 12

criminal offence (under 􏰀303b)

Question 13

What Law?
Using KRACK attack to eavesdrop on your neighbour‘s wifi connection
- Allows to „remove“ encryption (null key used for XOR)

Answer 13

criminal offence (under 􏰀202a)

Question 14

What CIA principle?
Assume you store your holiday pictures unencrypted in some cloud service. One day while wandering around in your area you see an advertisement for a local travel agency showing your family together sitting at the beach. Angrily you rip off the poster and return home.

Answer 14

An unauthorized party accessing a private cloud violates the security goal of confidentiality. Depending on the type of access granted to the intruder, integrity could have also been violated, if he would have been able to change data.

Question 15

What CIA principle?
A neighbor is listening to loud music, and it is the day before your first exam. You know that he is probably using his wireless speakers and decide to jam(block) all wireless traffic. Shortly after setting up the necessary device which you had lying around, the music stops, and you can get your hard earnt sleep.

Answer 15

As the jamming of all wireless traffic blocks all wireless communication, mainly the security goal of availability is violated.

Question 16

What Law’s are broken?
Linux.Wifatch is a malware targeting routers. It gains access by attacking weak Telnet passwords. In contrast to other malware it is not known to execute malicious actions, but rather attempts to close curtain vulnerabilities. Entities:
• the programmer (you can assume that the programmer released it)

Answer 16

I. §202a: Yes
II. §202b: No
III. §202c: Yes
§303a: Yes
§303b: Yes

Question 17

Assume you can eavesdrop (belauschen) on a communication over Wifi and modify its content. Which security goals are violated?

Answer 17

Confidentiality and Integrity

Question 18

Which law’s apply?
Person X develops a ransomware, which encrypts the disks of any infected computer. The ransomware then asks for a certain amount of money in Bitcoin with the promise of releasing the key to the encrypted files.

Answer 18

§303a, §303b

Question 19

Which law’s apply?
Person X develops a banking trojan.
This program modifies the operating system to be loaded on every boot.
When the victim visits a banking Web site, the trojan
a) extracts all credentials entered by the victim and
b) changes the recipient of a transaction to the attacker.

Answer 19

§202b, §303a

Question 20

Which law’s apply?
Student X finds a vulnerability in the latest Linux kernel.
Instead of submitting a bug report to Linux, he instead develops a proof-of-concept to exploit the bug, which allows to gain root privileges.
Given that he is short on money, he sells the PoC tool on the black market.

Answer 20

§202c