Trust to Blockchain 2022
ICT Security Basics - from Trust to Blockchain - ICT4HM103-3003 - 2022 Spring
Learn security fundamentals to understand current trends. Blockchains, TOR network and video conference encryption all stand on these fundamentals.
Enroll Monday 08:00 Enroll now, already 30% booked. 184% booked, queue started. Online, in English, in evenings, masters level. Very good 4.1 feedback
In this course, you will
- Learn fundamentals of computer security
- See them in hands on exercises
In detail, you'll
- Have an idea of computer security fundamentals (confidentiality, ...)
- Can put infosec tools in perspective, and has tested some of these tools
- Adversarial view - Can take attacker view (at least on a hypothetical level)
- Can relate information security to real life impacts
- Has had a look on some concurrent security tools and techniques
This course gives you grand overview of security principles and practice with tools implementing these principles. Even though you're expected to be able to install and configure programs and troubleshoot some errors, this is not my most technical course. If you want a demanding, hands on technical course with exploitation practice, pick Tunkeutumistaus (Penetration Testing ict4tn027-3003) in addition to this.
I will keep updating the subjects, but you can write dates to your calendar right away.
Every class is on Tuesday, 17:40 to 20:30. It's video conference trough Jitsi, mandatory participation.
You can keep your presentation any suitable day, even on week two. Email Tero to reserve a slot.
|2022-03-29 w13||1. Organizing. Overview of the course. Fundamentals vs common attacks.|
|2022-04-05 w14||2. Aleksandr: Securing the supply chain: Automatic dependency verification for RPA libraries. Chris: Stuxnet, the attack on Iranian enrichment plant. Hashes, passwords and cracking them.|
|2022-04-12 w15||3. Heli: Cryptocurrencies in accounting and taxation. Juuso: Cracking passwords. Samuli: Asymmetric encryption and SSH public key authentication. Public key encryption and signing.|
|2022-04-19 w16||4. Practical encryption techniques. Ishup: Stealing cryptocurrencies: The PolyNetwork Hack.|
|2022-04-26 w17||5. Antti: State-sponsored cyber attacks. Bitcoin intro.|
|2022-05-03 w18||6. Bitcoin.|
|2022-05-10 w19||7. Mariya: How to share account data without sharing credentials. OAuth flow. Anniina: Protecting Intellectual Property with Blockhain. Jenna: Crypto scams.|
|2022-05-17 w20||8. Presentations. Veikko: Password managers. Teppo: People – the Weakest Link in Cyber Security. Lauri: NSO Group and Pegasus software. Päivi: Bitcoin and Money Laundry. Jan: Cheaters in game industry.|
Homeworks 70% and presentations 30%. Evaluation is based on totality of the skills and knowledge demonstrated.
Online classes require active participation.
Literature and links
(Haaga-Helia users should have free access to O'Reilly Learning aka Safari Online trough our library, even when they are marked with € below)
r1 Overview, concepts and fundamentals
- OWASP 10 pdf, p 21-22: Note About Risks; Details About Risk Factors.
- Schneier 1999: Modeling security threats (Attack trees)
- Darknet Diaries . (You can find interesting security incidents here. It's hours and hours of material, so just have a look. To listen to podcasts on Android, you can use AntennaPod from F-Droid)
- Krebs on Security (It's a whole blog, so just have a look. You can find security incident writeups here)
- MITRE ATT&CK (Tactics, techniques and procedures. It's big, it's enough to just have a look. )
- Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (cyber kill chain)
r2 Blockchain to Cryptocurrency
Nakamoto, Satoshi 2008: Bitcoin: A Peer-to-Peer Electronic Cash System. (A colored HTML version. This is the paper that defined and introduced BitCoin. You can skip "11. Calculations" if you don't like sigma symbols. URL and email address on top of the paper seem unbeliveable and added by third party.
Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 1 (about 1 hour). Requires free registration. If you find it easy to follow, you can also optionally look at week 2 (1,5 h).
r3 Offensive Views
- Karvinen 2020: Remote Learning Tools for Tero's Courses: Install Virtual Xubuntu Linux
- Karvinen 2019: Install WebGoat PenTest Learning Tool on Ubuntu – with Docker (Make sure your address starts with "localhost" when you practice.
- Disobey 2020 Videos were just published. There are hours of videos, just have a look. Antti Virtanen: "I'm in your office" is an easy start.
- MitmProxy on Kali and Xubuntu – attack and testing
r4 CIA Triad and Encryption
- Schneier 2015: Applied Cryptography Chapter 1: Foundations €
- Curtin 1998: Snake Oil Warning Signs: Encryption Software to Avoid
r5 Applications: Pseudonymity
- Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser €
r6 BitCoin and Crypto Currencies
- Määttä et al 2020: Virtuaalivaluuttojen verotus VH/5083/00.01.00/2019. Previous version is available in English. Latest English version was not available in at the time of writing. This is a long document, only read the parts relevant to you.
Homework is official only after it's given in the class.
Homework is due 24 hours before next class starts. Return a link to Moodle.
Below are some preliminary ideas for homework. They are only official after given by teacher, as I will of course give homeworks based on what we actually talked about.
h1 adversarial mindset
z) Read and summarize. Some bullets is enough for a summary.
- Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
- Darknet Diaries. Pick one episode.
- MITRE ATT&CK FAQ explains the ATT&CK Enterprise Matrix. Explain tactic, technique and procedure in context of ATT&CK, and give an example of each. The enterprise matrix is big, you can just glimpse/browse it to see what's available instead of reading hundreds of pages.
a) How would you compare Cyber Kill Chain and ATT&CK Enterprise matrix? Who do you think could benefit from these models? (Bonus: Do you think anything is missing from either of these models?)
b) Pick a security incident and learn about it. Write briefly about it. Point out the concepts of threat actor, exploit, vulnerability and (business) impact. (You can find writeups about security incidents from Darknet Diaries and Krebs)
c) Use either (Hutchins et al 2011) cyber kill chain or MITRE ATT&CK framework for analyzing the incident you used in a. You can pick any incident you want, but try to pick a source that gives you enough technical and business detail to do some analysis. (If you're in a hurry, cyber kill chain is much simpler. If you're technically skillful, you might find ATT&CK interesting)
d) Install Debian on Virtualbox. Report your work, including the environment (including host OS, the real physical computer used).
e) Accept course rules in Moodle, so that we can talk about practical exploits.
e) Voluntary bonus: What do you consider the fundamentals of security? What are the theoretical foundations you would teach on the first day?
- Some bullets for each article is enough. You don't need to have all content of the long articles in your summary.
- For the summary, add your own question, idea or comment
- Hutchins et. al. is the cyber kill chain paper.
- Darknet diaries: pick any other episode but the last one, so you'll have a different episode from everyone else
- To listen to podcasts on Android, you can use AntennaPod from F-Droid or Google Play
- Refer to each source you've used: the course, the task given, the papers, the podcasts - all sources you've used. All sources must be mentioned in every document, page or blog using them. It's enough to just name and link them, you don't need to write another list in the end. In fact, it's imporant to know wich information comes from which source.
- My article Install Debian on Virtualbox explains it pretty well. It's also possible to use Xubuntu Linux.
- Got stuck with VirtualBox or Linux? Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class (and that's not all - you'll also get Linux on your virtual machine).
You can practice cracking our own hashes here. Some of the material linked here also shows penetration testing techniques that can only be practiced in separated test networks, but these techniques are not taught here and not needed in the homework. (Safe ways to practice those more offensive techniques are teached in my course Penetration testing / Tunkeutumistestaus.)
You're only allowed to start password hash cracking task after accepting course rules in Moodle. Most have probably accepted them already a week ago.
z) Read and summarize (with some bullet points, feel free to concentrate on things you find interesting)
- € Schneier 2015: Applied Cryptography: Chapter 2 - Protocol Building Blocks: From beginning of chapter to the end of "2.4 One-Way Hash Functions".
- Karvinen 2020: Command Line Basics Revisited
- € Santos et al 2017: Security Penetration Testing - The Art of Hacking Series LiveLessons: Lesson 6: Hacking User Credentials (8 videos, about 30 min)
- Karvinen 2022: Cracking Passwords with Hashcat (Update: added this article to make your life easier)
a) Install hashcat and test that it works.
b) Crack this hash: 21232f297a57a5a743894a0e4a801fc3
c) Crack this Windows NTLM hash: f2477a144dff4f216ab81f2ac3e3207d (Update: I added the tip that it's NTLM)
d) Try cracking this hash and comment on your hash rate $2y$18$axMtQ4N8j/NQVItQJed9uORfsUK667RAWfycwFMtDBD6zAo1Se2eu (Update: Crack this -> Try cracking this. I'm interested in your comments on the hash rate, no need to get the password).
e) Voluntary bonus: make hashcat work with your display adapter (GPU).
f) Voluntary bonus: create some hashes of your own, then crack them with hashcat.
g) Voluntary bonus hash. John the Ripper aka 'john' might also work here.
$ sudo grep elmik9 /etc/passwd /etc/shadow /etc/passwd:elmik9:x:1003:1003:Elmeri "9" Elmik,,,:/home/elmik9:/bin/bash /etc/shadow:elmik9:$1$xpRkwrhq$aXdu7HQirUmuTZW2m8OXs.:18401:0:99999:7:::
- You can likely get the paywalled books and videos for free with your Haaga-Helia account, trough Haaga-Helia library's A-Z Databases. This page has a lot of free goodies included in your Haaga-Helia student status.
- Scheier's book is famous. It's pretty dense, if this was made by a Youtube influencer, you'd get three seasons of videos from the first couple of paragraphs.
- 'sudo apt-get update', 'sudo apt-get install hashcat hashid micro'
- In many tutorials, the hackers guess the type of the hash by comparing it to examples. I prefer using 'hashid -m feedd0c5', the right hash type is usually in top three, and the mode number (-m) is the same as the required -m parameter for hashcat.
- You can use rockyou.txt or similar dictionary.
- Some of the practical exercises can be challenging if you're new to the world of hacking. Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class. As these are the tools that actual hackers and pentesters use, they are more optimized to get the results than being the most beginner friendly.
- Only test on practice data and practice targets. Follow the laws, never point any of these tools to production data or production systems.
- If you're in another juristiction (not Finland), also check the local rules and laws before any pentest related practice.
- Something to think about: we just learned that hashing is a one-way function. If this is true, why can you crack the hash and find out the original password?
h3 public key encryption and pgp
a) Read and summarize (with 1-5 bullet points for each heading)
- Schneier 2015: Applied Cryptography Chapter 1: Foundations €
b) Give two examples of public key cryptography (other than PGP). Explain how public keys are used here.
c) Encrypt and sign a message. Then decrypt and verify it. Use PGP to encrypt and sign messages.
d) Voluntary: Secrets with friends. Send a PGP message to your friend, and decrypt the reply.
e) Voluntary: Find the correct PGP key for Richard Stallman, the head of Free Software Foundation. Then find an incorrect, suspect or fake PGP key for Stallman. Why do you think one key is genuine and another is suspect?
f) Voluntary, programmers only: Cryptopals. Solve Set 1: Challenges 1-3. I highly recommend Cryptopals for learning to break cryptography.
- To encrypt with PGP, you can use GnuPG aka gpg (Linux: 'sudo apt-get install gpg', Windows gpg4win; I haven't tested the Windows version).
- gpg --genkey; gpg --fingerprint; gpg --export --armor bob; gpg --import; gpg --encrypt --sign bob; gpg --decrypt;
- To use PGP in your daily life, I recommend Thunderbird and Enigmail.
In Finland, it's legal to use TOR at the time of writing. If you reside in another juristiction, laws might be different. Obviously, it's illegal to do illegal things in TOR, just like it's illegal to do illegal things anywhere. Only do legal things.
x) Read and summarize
- Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser €
a) Install TOR browser and access TOR network (.onion addresses). (Explain in detail how you installed it, and how you got access to TOR).
b) Browse TOR network, find, take screenshots and comment
- search engine for onion sites
c) Find an example where anonymity of TOR user was compromized. How was it done? Who did it? Could the deanonymization be replicated?
d) What other pseudonymous/anonymous networks are there? What's their killer feature? How are they different from TOR?
e) In your own words, how does anonymity work in TOR? (e.g. how does it use: public keys, encryption, what algorithms?)
f) What kind of the treath models could TOR fit?
v) Read/watch and summarize
- Nakamoto, Satoshi 2008: Bitcoin: A Peer-to-Peer Electronic Cash System. (A colored HTML version. This is the paper that defined and introduced BitCoin. You can skip "11. Calculations" if you don't like sigma symbols. URL and email address on top of the paper seem unbeliveable and added by third party.
- Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 1 (about 1 hour). Requires free registration. If you find it easy to follow, you can also optionally look at week 2 (1,5 h).
x) Help a friend. Evaluate another report in Laksu.
a) Value of bit money. How much is one BitCoin (BTC) worth now? Using historical BTC course, show that you could have lost a lot of money investing in BTC. Also show that you could have won a lot of money with BTC.
b) Is it legal to own BitCoin in Finland? Why do you think so?
c) What's a block chain? Give a simple but detailed explanation. (Feel free to use the most narrow and simple definition of blockchain - no need to consider a whole cryptocurrency).
d) Not BitCoin. Give examples of some AltCoins, crypto currencies compiting with BitCoin. For each AltCoin: how does it differ, what's it's claim for fame?
f) Reserve your presentation by email to Tero if you have not given a presenation yet. (Updated. This is just for those who have not given a presentation yet. This subtask does not require performing any tests on a computer
g) Voluntary: Buy some BitCoin. If you're new to this, don't risk a lot of money.
h) Voluntary: When do you have to pay taxes for BitCoin in Finland? (If you want, you can instead check taxation in another country)
i) Voluntary: Describe a simple cryptocurrency (you can invent one yourself or use an existing toy example).
j) Voluntary: Secret or public? Find some transactions on a BitCoin account that is related to a case that has had publicity.
h6 Can of Worms
v) Read/watch and summarize
- Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 2 (about 1,5 hours). Requires free registration. If you find it easy to follow, you can also optionally look at weeks 3 and four.
a) Can of worms. Run some malware in https://any.run web interface. What malware was that? How did it work? Take some screenshots, and explain what we see. Do you recognize any techniques or tactics? What did you learn? Do not download any malware samples to your own computer.
b) Reference implementation. Ever cop^H^H^Hlearned from StackOverflow? Pick a StackExchange site related to the course, sort questions by score, and briefly explain one question and answer. https://stackexchange.com/sites
c) Return your homework link to Laksu. Evaluate (at least) two other reports (for this task) in Laksu. Thanks for helpping your fellow students with your feedback! (This subtask of returning to Laksu does not need to be reported, it just needs to be done)
c) Voluntary. Cryptopals 1. Solve Cryptopals challenge set 1: tasks 1 "Convert hex to base64" to 4 "Detect single-character XOR". This task requires programming skills.
- Handling malware requires care.
- This is the task you requested earlier in the course, and this is quite safe and easy way to do it.
- Only use your browser to look at any.run's web interface, running malware on any.run's computers.
- This task does not require downloading any malware samples to your computer.
- If you want to learn malware analysis, HelSec and Disobey sometimes offer workshops on this. The ones I've participated have been very good.
- Do them in order, starting from the very first task.
- When you solve the tasks, you'll learn the skills needed for harder tasks.
- You can use any programming language
- StackExchange sites
- If you code, you probably know StackOverflow
- Some good picks for this course are "Information Security" and "Bitcoint". Maybe also "Cryptography".
- Can you find others?
h7 Final Countdown
Return to Laksu, like last time.
a) Find a block and a transaction in BitCoin public ledger and explain its key parts.
b) Return everything. Add links to each of your homework reports here.
c) References. Check that you are referring to all of your sources in each of your reports: course, homework task, books, videos, web pages, reports by other students, manuals.
d) Two. Evaluate and give feedback on two homework packages in Laksu.
- You can find examples of BitCoin blocks and transactions on multiple free web services, search for "bitcoin block explorer"
- Two (evaluate two homework packages)
- Comment each report, then add a summary on the end
- Are all tasks answered? Were they all solved? If some tasks were not completely solved, does the answer try and report sensible approaces towards the solution?
- Do the answers explain and analyze the question or the test?
- For technical tasks done on a computer
- Repeatable? Does the report describe environment (OS, software versions, download URLs..), commands given and results so that you could do the same thing on a computer? And get the same problems, and solve them the same way?
- Is the end result tested?
Thanks already! Your feedback is very important to me. I will read it all (twice+) and make improvements. Please give your feedback to two channels: comment & mynet.
1) Free form feedback as a comment on this page
You can write what ever you want. No need to repeat the questions, but they are here to get you started.
- Did you learn something? Do you now know something you did not know before the course? (Models, frameworks, ideas, tools?)
- Did you do something for the first time? (Used some technique or a tool for the first time?)
- Is this useful? Are these skills and this knowledge useful in companies or your work?
- How did you like the presentations? Interesting subject? Did you like presenting? Useful information? Actionable?
- Did you find homework useful? Interesting? Challenging enough?
- Feelings: did you enjoy the course?
- How could I improve the course? (I can make almost any change here, if it's important)
- Would you recommend the course? Have you already recommended it? Who would benefit from the course (a colleague, a fellow student)?
2) Numeric feedback to Haaga-Helia feedback system (MyNet / Peppi)
- Your active participation in studies
- Achieving the learning goals
- The study methods supported learning
- The study environment supported learning
- Benefits to your career
Open, you can copy the same answer you gave earlier
- What promoted your learning?
- How would you develop the implementation / group of implementations further so that the learning goals could be achieved better?
Your overall assessment of the implementation, 1-worst, 5-best
How likely would you recommend the course to your fellow students? 1-worst, 10-best.
Thank you for your feedback, and thank you for our course!
Optional: Keep up with Linux & security, join Tero's list. (And get invitations to visitors on security)
See you in my future courses!