ICT Security Basics - from Trust to Blockchain - ict4hm003 3001 2020 Spring

Learn security fundamentals to understand current trends.

Blockchains, TOR network and video conference encryption all stand on these fundamentals.

Online course - I (Tero) will give and evaluate all my courses completely online during 2020 Spring.

Moodle (requires Haaga-Helia account)

Learning goals

In this course, you will

• Learn fundamentals of computer security
• See them in hands on exercises

In detail, you'll

• Have an idea of computer security fundamentals (confidentiality, ...)
• Think of security as risk management; recognize some of the risks in ICT
• Can put infosec tools in perspective, and has tested some of these tools
• Can take attacker view (at least on a superficial, hypothetical and descriptive level)
• Has had a look on some concurrent security tools and techniques

This course gives you grand overview of security principles and practice with tools implementing these principles. Even though you're expected to be able to install and configure programs and troubleshoot some errors, this is not my most technical course. If you want a demanding, hands on technical course with exploitation practice, pick Tunkeutumistaus (Penetration Testing ict4tn027-3003) in addition to this.

Timetable

This initial timetable will change during the course.

1. w14 Mon 2020-03-30 Organizing, overivew of the course. Fundamentals. CIA triad. Adversarial situation. Business view. Attack tree. Attacker view and pentest. The most common ways to attack companies (spear phising, OWASP 10...).
2. w15 Mon 2020-04-06 17:40-20:30 Niko Marjomaa, Accenture - Leading security. (Easter w16 Mon 2020-04-13)
3. w17 Mon 2020-04-20 Low hanging fruit for the defender. Low hanging fruit for the attacker.
4. w18 Mon 2020-04-27 Encryption. CIA in encryption. Symmetric and asymmetric encryption. Hashing. Two way authentication. Measurment. Breaking encryptions.
5. w19 Mon 2020-05-04 Practical encryption technieques. PGP for email encryption. Public key infrastructure. Centralized and distributed trust (e.g. TLS vs PGP).
6. w20 Mon 2020-05-11 New applications for encryption. Anonymous (pseudonymous?) networks: TOR. Virtual private networks and SSH tunneling. Distributed file sharing (e.g. syncthing). Blockchain and cryptocurrencies.
7. w21 Mon 2020-05-18 Presentations.

Evaluation

Homeworks 50% and presentations 50%. Evaluation is based on totality of the skills and knowledge demonstrated.

Literature and links

(Haaga-Helia users should have free access to O'Reilly Learning aka Safari Online trough our library, even when they are marked with € below)

r1 Overview, concepts and fundamentals

• OWASP 10 pdf, p 21-22: Note About Risks; Details About Risk Factors.
• Schneier 1999: Modeling security threats (Attack trees)
• Darknet Diaries . (You can find interesting security incidents here. It's hours and hours of material, so just have a look. To listen to podcasts on Android, you can use AntennaPod from F-Droid)
• Krebs on Security (It's a whole blog, so just have a look. You can find security incident writeups here)
• MITRE ATT&CK (Tactics, techniques and procedures. It's big, it's enough to just have a look. )
• Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (cyber kill chain)

r2 Niko's Slides

Niko's slides were sent by email

r3 Offensive Views

• Karvinen 2020: Remote Learning Tools for Tero's Courses: Install Virtual Xubuntu Linux
• Karvinen 2019: Install WebGoat PenTest Learning Tool on Ubuntu – with Docker (Make sure your address starts with "localhost" when you practice.
• Disobey 2020 Videos were just published. There are hours of videos, just have a look. Antti Virtanen: "I'm in your office" is an easy start.
• MitmProxy on Kali and Xubuntu – attack and testing

r4 CIA Triad and Encryption

• Schneier 2015: Applied Cryptography Chapter 1: Foundations €
• Curtin 1998: Snake Oil Warning Signs: Encryption Software to Avoid

r5 Applications: Pseudonymity

• Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser €

r6 BitCoin and Crypto Currencies

• "Satoshi Nakamoto" 2008: Bitcoin: A Peer-to-Peer Electronic Cash System. This is the paper that defined and introduced BitCoin. You can skip "11. Calculations" if you don't like sigma symbols.
• Narayanan: Bitcoin and Cryptocurrency Technologies, videos Week 1 (about 1 hour) and optionally Week 2 (1,5 h). Requires free registration.
• Määttä et al 2020: Virtuaalivaluuttojen verotus VH/5083/00.01.00/2019. Previous version is available in English. Latest English version was not available in at the time of writing. This is a long document, only read the parts relevant to you.

Homework

h1

Before you start working, read about the key terms and concepts in security in literature and links.

a) Pick a security incident and learn about it. Write briefly about it. Point out the concepts of threat actor, exploit, vulnerability, impact and risk. (You can find writeups about security incidents from Darknet Diaries and Krebs)

b) Use either (Hutchins et al 2011) cyber kill chain or MITRE ATT&CK framework for analyzing the incident you used in a. You can pick any incident you want, but try to pick a source that gives you enough technical and business detail to do some analysis. (If you're in a hurry, cyber kill chain is much simpler. If you're technically skillful, you might find ATT&CK be very interesting)

c) Use attack tree to analyze the security of some imaginary example target.

d) MITTRE ATT&CK is about tactics, techniques and procedures. Give example of each from the framework.

e) Accept course rules in Moodle, so that we can talk about practical exploits.

e) Voluntary bonus: What do you consider the fundamentals of security? What are the theoretical foundations you would teach on the first day?

h2

Next Monday is a national holiday, so the deadline is w16 Tue 2020-04-14.

a) Write a case with Niko's lessons. Analyze a business case using the theories learned, then create recommendations. 1000-5000 words. You can use a real business case as the basis and fill the details with imagination, as you probably won't be able to know the operational details of a company from the outside. Or, you can come up with completely imaginary scennario. Be prepared to discuss your case in the class.

h3

We're getting hands on & offensive as you asked. If you get stuck, do and report all you can. Report the stuck task carefully, so we can later see what went wrong and fix it. On the other hand, if you're familiar with the web and find these tasks easy, do the extras. You should be more skillful after doing the homework, compared to yourself before you started.

z) As always, read the articles mentioned in literature and links before you start. Reading OWASP 10 from previous literature might help, too. You don't need to report this reading only part z.

a) Solve four riddles from WebGoat. Skip the ones that are "for developer version only" or require modifying WebGoat source code inside Docker container. You can use any tasks, but the ones near the start are easier. Explain step by step how you exploited the app. (For this task, you'll need to install WebGoat. Check links and literature above. WebGoat runs on your own machine, so make sure the address starts with "localhost")

b) Use OWASP 10 to name each type of vulnerability you used in part a.

c) Real life? For each of the vulnerabilites you found, explain how it could be used in real life. For example, if you get a javascript alert, so what? How common do you think that this vulnerability is? Can you find any reference to support your view? (Non-academic references are OK)

d) How could companies protect themselves against the problems you considered in a-c? Try to view this on different levels, from code to strategy.

e) Voluntary: Solve 15 WebGoat challenges. It makes sense to use as simple and easy to use tools as possible, but you might need something more. In case you need it, mitmproxy is my favourite testing proxy.

f) Voluntary: Invited. Get an invite to Hack The Box. This is a simple javascript/web hacking challenge. Stay within scope. https://www.hackthebox.eu/invite (ps. If you do get an invite: If you get inside the network and set up VPN, only continue if you know how to use the required tools safely; understand their rules; follow your tools with other tools; double-triple check IP addresses; and stay within the scope given.)

h4

z) As always, read the articles mentioned in literature and links before you start. You probably won't be able to answer the questions without reading the material, especially Schneier. You don't need to report this reading only part z.

a) Give practical examples of protecting and violating CIA (confidentiality, integrity, availability).

b) Name an unbreakable cipher and explain how it works. Can you name an example from history where a mistake in applying this algorithm has lead to disclosure of confidential data?

b) Encrypt a message symmetrically, using any program you like.

c) Encrypt a message asymmetrically, using any program you like. If you want, you can combine tasks b and c.

d) Give examples of encryption algorithms that are computationally secure; and examples of those that are not.

e) Find Diffie, Whitfield, and Martin Hellman: "New Directions in Cryptography". What problem does it solve? When was it published? How was this problem solved before this idea? Have you ever used any of these techniques in your own life? This is a very well known article, so third party sources can also give you answers to these questions - you don't need to read and understand the whole article to answer the questions.

f) Find an example of an encryption product whose security seems suspect. You can look at marketing claims, omitted information or compare information to outside sources.

g) Decrypt this cyphertext "Zpv bsf b ibdlfs!"

x) Optional: Which single lower case English word has this sha256sum? 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

y) Optional, harder: Solve a challenge from cryptopals.

h5

In Finland, it's legal to use TOR at the time of writing. If you reside in another juristiction, laws might be different. Obviously, it's illegal to do illegal things in TOR, just like it's illegal to do illegal things anywhere. Only do legal things.

z) As always, read the articles mentioned in literature and links.

a) Install Tails and access TOR network (.onion addresses). (Explain in detail how you installed it, and how you got access to TOR).

b) Browse TOR network, find, take screenshots and comment

• search engine for onion sites
• marketplace
• fraud
• forum

c) Find an example where anonymity of TOR user was compromized. How was it done? Who did it? Could the deanonymization be replicated?

d) What other pseudonymous/anonymous networks are there?

e) In your own words, how does anonymity work in TOR? (e.g. how does it use: public keys, encryption, what algorithms?)

f) What is the threath model for TOR?

g) Reserve your presentation topic. Security related. Combine fundamentals of security to business, strategy or practical applications. 5 minutes presentation + written article. Reserve topic on Moodle (HH login required)

h6

z) As always, read the articles mentioned in literature and links.

a) Value of bit money. How much is one BitCoin (BTC) worth now? Using historical BTC course, show that you could have lost a lot of money investing in BTC. Also show that you could have won a lot of money with BTC.

b) Is it legal to own BitCoin in Finland? Why do you think so?

c) What's a block chain? Give a simple but detailed explanation. (Feel free to use the most narrow and simple definition of blockchain - no need to consider a whole cryptocurrency).

d) Not BitCoin. Give examples of some AltCoins, crypto currencies compiting with BitCoin. For each AltCoin: how does it differ, what's it's claim for fame?

f) Prepare a 5-7 minute presentation on the subject you reserved. We'll have presentations next week.

g) Voluntary: Buy some BitCoin. If you're new to this, don't risk a lot of money.

h) Voluntary: When do you have to pay taxes for BitCoin in Finland? (If you want, you can instead check taxation in another country)

i) Voluntary: Describe a simple cryptocurrency (you can invent one yourself or use an existing toy example).

j) Voluntary: Secret or public? Find some transactions on a BitCoin account that is related to a case that has had publicity.