Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 3 Exercises: Kobayashi Maru Exam

At the beginning of class, we practiced thinking like a hacker by cheating on a test. This is thinking like a hacker because there a rules that constrained what you were and were not supposed to do, and a practices by the professor and other students that also made it hard to cheat. You worked around those and tried to cheat on the test anyway. This is thinking like a hacker: finding ways around the rules and behaviors so that you can get what you want without having to follow the rules.

Thinking like a hacker is really important for people working in cybersecurity. The hackers think like this, so it is important for you to do so also so you can anticipate what they might do. These exercises have you continuing to do this.

As you go about your normal, day-to-day life, look around you. Think about the rules — both written and unwritten - that govern what you are and aren’t allowed to do. Think about the human behaviors that make things harder or easier for you. Then figure out a way around them to get something you want.

For each of the examples below, work with your partner to figure out a good way around some set of rules or practices. What you are doing is looking for vulnerabilities: gaps in protection that allow you to take advantage of the system in some way that is usually contrary to its intended design. You job here is to describe vulnerabilities in these everyday systems.

For each of the examples below, follow these steps using the Vulnerability Brainstorming worksheet:

  1. How does this normally work? Each of the examples is a system that involves people and computers following a set of rules and processes to accomplish some everyday task. Write down how it works when it works successfully.

    As you work, try to be as detailed as possible. Don’t just say “parking attendant issues a ticket”. Say something like “parking attendant uses his phone to enter licence plate number and parking lot number into an special app on his/her phone, which then generates a ticket that they can print on a portable ticket printer”. Doing this is hard, but important. Most of the time vulnerabilites are found in these details, not in high-level descriptions. It is these details that help you figure out where the process can go wrong. So thinking about these details is critical.

  2. Brainstorm possible alternative goals. Each of these systems has a primary goal – issue parking tickets, collect money for groceries, etc. One obvious hacker goal is to clearly subvert the primary goal – park without paying, get groceries without paying. That’s a good place to start. Write that down. But then stop and think: are there other possible goals? Can you issue parking tickets to the wrong car / your enemies? Can you pay to park but then end up parking longer than you paid for? Think about what some alternative goals you might have are. Bruce Schneier listed some categories of goals in his book Secrets and Lies that might help you brainstorm: “monetary theft, framing, privacy violations, vandalism, terrorism, or publicity”. He also lists denial-of-service.

  3. Think about hacks. Look at the process as you listed it, and the goals you wrote down. Try to figure out a way to accomplish one or more of those goals by taking advantage of that process. For example: if you wanted to get the university to issue a parting ticket to your enemy, what could you do within the parking system to try to make that happen? Could you create a fake licence plate and put it on your illegally parked car? Would that be enough?

  4. For each hack, identify the vulnerability that enabled it. A vulnerability is a feature of the system – a technical attribute or a part of the normal process – that you are exploiting to accomplish your hack. Vulnerabilities are where things aren’t properly checked, or where you can get someone to do something they normally wouldn’t be able to do. In the running example, by lying – putting a fake licence plate on your car – you can get the parking attendant to issue a parking ticket to someone other than you. The vulnerability is that the parking attendant never checks to see if the licence plate actually belongs on the car it is; they just trust that the licence plate is correct for that car.

Also, for each of these, think about: what’s stopping you? It isn’t just ahead-of-time prevention rules that might stop you; also think about after-the-fact rules such as being banned from a store or video game, or the police arresting you. Can you get around these types of prevention? How?

These are real-world situations. For some of these, it is possible that there isn’t a good or easy vulnerability. That’s OK; if you really think there are no vulnerabilities in the system, say so and try to explain why there aren’t any vulnerabilities. But I encourage you to try hard to find vulnerabilities.

Topics

Parking Enforcement

Parking on campus is complicated. Some places require a permit, which is sometimes only available to certain people (like faculty). Some places require you to use an app or pay a parking meter. And some places are open to the public. How is this enforced? By who? Are there ways to park illegally for free on campus and not get caught? How many can you come up with?

Automated Traffic Enforcement

Increasingly, cities are installing cameras that monitor traffic for speeding and running red lights, and will scan the license plate and automatically issue tickets. Can these systems be tricked? Can these systems be abused in some way?

Self-scanning at Grocery Checkout

Groceries allow people to scan their own groceries to check out, and also have a platform that weighs the groceries as they are scanned. They also usually have an attendant that helps people and verifies things like age restrictions. Is this secure? Are there ways to trick or cheat the system?

Adding/Dropping/Overrides into classes at MSU.

To override into a class in ComArtSci, you need to fill out information on a webpage (that requires a login), and also email or talk to your advisor. The advisor then goes into a computing system (also requiring a login) and pushes a button to allow the override. Can this system be faked or abused?

Traffic Lights

Traffic lights are just lights, but they control when cars are allowed to go or have to stop. They can be triggered by many things: timing based on the controllers in boxes on posts; actuated by cars driving up the road; pedestrian buttons requesting a walk light; sensors that detect emergency vehicles. Can traffic lights be controlled or abused?

Dorm room / apartment security

Generally, you only want certain people to be able to get into dorms and into dorm rooms. We protect these with keys, ID cards, and motion sensors. Are there ways to break into dorm rooms or get into dorms or places in dorms that you normally aren’t allowed? If you wanted in, how would you get in?

Credit Card CVV codes

Credit cards have a 16 digit number that identifies the card. They also have a 3 or 4 digit code on the back called the CVV code. Do these codes actually provide increased security? Are there ways you can get around or fake these codes?

Something Else

You’ve done this now for for a number of situations I’ve provided. Work with your partner to think like a hacker, and come up with some other situation where you can exploit the situation to get something you might want.