ICT Security Basics - from Trust to Blockchain - ict4hm003 2021 Spring
Learn security fundamentals to understand current trends.
Blockchains, TOR network and video conference encryption all stand on these fundamentals.
Online course - I (Tero) will give and evaluate all my courses completely online during 2021 Spring.
Moodle (requires Haaga-Helia account)
In this course, you will
- Learn fundamentals of computer security
- See them in hands on exercises
In detail, you'll
- Have an idea of computer security fundamentals (confidentiality, ...)
- Think of security as risk management; recognize some of the risks in ICT
- Can put infosec tools in perspective, and has tested some of these tools
- Can take attacker view (at least on a superficial, hypothetical and descriptive level)
- Has had a look on some concurrent security tools and techniques
This course gives you grand overview of security principles and practice with tools implementing these principles. Even though you're expected to be able to install and configure programs and troubleshoot some errors, this is not my most technical course. If you want a demanding, hands on technical course with exploitation practice, pick Tunkeutumistaus (Penetration Testing ict4tn027-3003) in addition to this.
This initial timetable will change during the course.
Every class is on Monday, 17:40 to 20:30. It's video conference trough Jitsi.
- 2021-03-29 w13 Organizing, overivew of the course. Fundamentals. CIA triad. Adversarial situation. Business view. Attack tree. Attacker view and pentest. The most common ways to attack companies (spear phising, OWASP 10...).
- (no class on 2021-04-05 w14)
- 2021-04-12 w15 Blockchain and cryptocurrency.
- 2021-04-19 w16 Public key encryption and signing.
- 2021-04-26 w17 Ufuk Topçu: Mining Ethereum. Practical encryption techniques.
- 2021-05-03 w18 Computer forensics. Visiting class by Andrej Andrej Bondarenko, Difseco.
- 2021-05-10 w19 New applications for encryption. Recap.
- 2021-05-17 w20 Presentations.
Homeworks 50% and presentations 50%. Evaluation is based on totality of the skills and knowledge demonstrated.
Literature and links
(Haaga-Helia users should have free access to O'Reilly Learning aka Safari Online trough our library, even when they are marked with € below)
r1 Overview, concepts and fundamentals
- OWASP 10 pdf, p 21-22: Note About Risks; Details About Risk Factors.
- Schneier 1999: Modeling security threats (Attack trees)
- Darknet Diaries . (You can find interesting security incidents here. It's hours and hours of material, so just have a look. To listen to podcasts on Android, you can use AntennaPod from F-Droid)
- Krebs on Security (It's a whole blog, so just have a look. You can find security incident writeups here)
- MITRE ATT&CK (Tactics, techniques and procedures. It's big, it's enough to just have a look. )
- Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (cyber kill chain)
r2 Blockchain to Cryptocurrency
Nakamoto, Satoshi 2008: Bitcoin: A Peer-to-Peer Electronic Cash System. (A colored HTML version. This is the paper that defined and introduced BitCoin. You can skip "11. Calculations" if you don't like sigma symbols. URL and email address on top of the paper seem unbeliveable and added by third party.
Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 1 (about 1 hour). Requires free registration. If you find it easy to follow, you can also optionally look at week 2 (1,5 h).
r3 Offensive Views
- Karvinen 2020: Remote Learning Tools for Tero's Courses: Install Virtual Xubuntu Linux
- Karvinen 2019: Install WebGoat PenTest Learning Tool on Ubuntu – with Docker (Make sure your address starts with "localhost" when you practice.
- Disobey 2020 Videos were just published. There are hours of videos, just have a look. Antti Virtanen: "I'm in your office" is an easy start.
- MitmProxy on Kali and Xubuntu – attack and testing
r4 CIA Triad and Encryption
- Schneier 2015: Applied Cryptography Chapter 1: Foundations €
- Curtin 1998: Snake Oil Warning Signs: Encryption Software to Avoid
r5 Applications: Pseudonymity
- Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser €
r6 BitCoin and Crypto Currencies
- Määttä et al 2020: Virtuaalivaluuttojen verotus VH/5083/00.01.00/2019. Previous version is available in English. Latest English version was not available in at the time of writing. This is a long document, only read the parts relevant to you.
Homework is official only after it's given in the class.
(all but h1) Homework is due on Monday 09:00, so about nine hours before the next class.
h1 adversarial mindset
Deadline for h1 is w14 Friday 16:00, because there is no class on w14 Monday.
Before you start working, read about the key terms and concepts in security in literature and links.
a) Pick a security incident and learn about it. Write briefly about it. Point out the concepts of threat actor, exploit, vulnerability, impact and risk. (You can find writeups about security incidents from Darknet Diaries and Krebs)
b) Use either (Hutchins et al 2011) cyber kill chain or MITRE ATT&CK framework for analyzing the incident you used in a. You can pick any incident you want, but try to pick a source that gives you enough technical and business detail to do some analysis. (If you're in a hurry, cyber kill chain is much simpler. If you're technically skillful, you might find ATT&CK be very interesting)
c) Use attack tree to analyze the security of some imaginary example target.
d) MITTRE ATT&CK is about tactics, techniques and procedures. Give example of each from the framework.
e) Accept course rules in Moodle, so that we can talk about practical exploits.
e) Voluntary bonus: What do you consider the fundamentals of security? What are the theoretical foundations you would teach on the first day?
h2 blockchain and cryptocurrency
Homework is due on Monday 09:00, so about nine hours before the next class.
Before you start working, read r2 Blockchain and cryptocurrency
a) Read Nakamoto's 2008 Bitcoin paper. (Feel free to skip "11. Calculations") Explain how BitCoin uses. (About one sentence per concept)
- proof of work
b) Watch Felten et al 2015: Bitcoin and Cryptocurrency Technologies: Week 1 (about 1 h, requires free registration). Summarize each video with a couple of bullet points (3-5 bullets).
c) Find a block and a transaction in BitCoin public ledger and explain parts of it. (Feel free to leave lots of things out, we don't need to fully understand most if it yet).
d) Create your own blockchain. Once you've created it, show step by step how you verify the whole blockchain, starting from the last block. Once you've verified your whole chain, make a modification in a block in the middle, and show how your verification catches the change.
e) Voluntary, for coders only: code your own tool to solve hash puzzles. E.g. what string needs to be added to "Tero" to create an sha256 hash that starts with a zero?
f) Voluntary. They say hashes are one-way (hiding). So, 6b88c087247aa2f07ee1c5956b8e1a9f4c7f892a70e324f1bb3d161e05ca107b is an sha256 hash of a single lower case word. I wonder what it is...
g) Voluntary: Watch and summarize Week 2 of Felten et al 2015 video lectures. 3-5 bullets per video.
- To explore Bitcoin public ledger, DuckDuckGo/Google "Bitcoin Explorer" to find sites that allow you to view blocks and transactions.
- Public BitCoin Ledger shows, for example, amount of money moving, block reward, date of transaction, how difficult the hash puzzle was...
- You can create and verify your blockchain manually, by using a text editor and sha256sum. E.g. (block 0: "Tero"), (block 1: sha256sum_of_block_0, "Dragonfly"), (block 2: sha256sum_of_block_1, "Potato")
- You can use 'sha256sum' or a web tool to calculate hashes.
- Want to make exploring the public ledger more challenging? Find and explain transaction related to a real world event, e.g. a crime.
h3 public key encryption and pgp
a) Read and summarize (with 1-5 bullet points for each heading)
- Schneier 2015: Applied Cryptography Chapter 1: Foundations €
b) Give two examples of public key cryptography (other than PGP). Explain how public keys are used here.
c) Encrypt and sign a message. Then decrypt and verify it. Use PGP to encrypt and sign messages.
d) Voluntary: Secrets with friends. Send a PGP message to your friend, and decrypt the reply.
e) Voluntary: Find the correct PGP key for Richard Stallman, the head of Free Software Foundation. Then find an incorrect, suspect or fake PGP key for Stallman. Why do you think one key is genuine and another is suspect?
f) Voluntary, programmers only: Cryptopals. Solve Set 1: Challenges 1-3. I highly recommend Cryptopals for learning to break cryptography.
- To encrypt with PGP, you can use GnuPG aka gpg (Linux: 'sudo apt-get install gpg', Windows gpg4win; I haven't tested the Windows version).
- gpg --genkey; gpg --fingerprint; gpg --export --armor bob; gpg --import; gpg --encrypt --sign bob; gpg --decrypt;
- To use PGP in your daily life, I recommend Thunderbird and Enigmail.
h4 cracking hashes
You can practice cracking our own hashes here. Some of the material linked here also shows penetration testing techniques that can only be practiced in separated test networks, but these techniques are not taught here and not needed in the homework. (Safe ways to practice those more offensive techniques are teached in my course Penetration testing / Tunkeutumistestaus.)
z) Read and summarize (with some bullet points, feel free to concentrate on things you find interesting)
- € Santos et al 2017: Security Penetration Testing - The Art of Hacking Series LiveLessons: Lesson 6: Hacking User Credentials (8 videos, about 30 min)
a) Install hashcat and test that it works.
b) Crack this hash: 21232f297a57a5a743894a0e4a801fc3
c) Crack this Windows related hash: f2477a144dff4f216ab81f2ac3e3207d
d) Crack this hash and comment on your hash rate $2y$18$axMtQ4N8j/NQVItQJed9uORfsUK667RAWfycwFMtDBD6zAo1Se2eu
e) Voluntary bonus: make hashcat work with your display adapter (GPU).
f) Voluntary bonus: create some hashes of your own, then crack them with hashcat.
g) Voluntary bonus hash. John the Ripper aka 'john' might also work here.
$ sudo grep elmik9 /etc/passwd /etc/shadow /etc/passwd:elmik9:x:1003:1003:Elmeri "9" Elmik,,,:/home/elmik9:/bin/bash /etc/shadow:elmik9:$1$xpRkwrhq$aXdu7HQirUmuTZW2m8OXs.:18401:0:99999:7:::
Tips: Use 'hashid -m deadbeef' to identify hashes. You can use rockyou.txt or similar dictionary.
There was no h5 due to visiting lecture on forensics.
z) As always, read the articles mentioned in literature and links.
a) Value of bit money. How much is one BitCoin (BTC) worth now? Using historical BTC course, show that you could have lost a lot of money investing in BTC. Also show that you could have won a lot of money with BTC.
b) Is it legal to own BitCoin in Finland? Why do you think so?
c) What's a block chain? Give a simple but detailed explanation. (Feel free to use the most narrow and simple definition of blockchain - no need to consider a whole cryptocurrency).
d) Not BitCoin. Give examples of some AltCoins, crypto currencies compiting with BitCoin. For each AltCoin: how does it differ, what's it's claim for fame?
f) Prepare a 5-7 minute presentation on the subject you reserved. We'll have presentations next week.
g) Voluntary: Buy some BitCoin. If you're new to this, don't risk a lot of money.
h) Voluntary: When do you have to pay taxes for BitCoin in Finland? (If you want, you can instead check taxation in another country)
i) Voluntary: Describe a simple cryptocurrency (you can invent one yourself or use an existing toy example).
j) Voluntary: Secret or public? Find some transactions on a BitCoin account that is related to a case that has had publicity.
a) Prepare a short presentation on a topic related to course. Write an abstract of your presentation here.
b) All homework. Add link to every homework report here.
c) Check your references in every homework report. Have you referred/linked to all sources in every report: course, task page, books, web pages, other student's homework reports used as basis?
Tip: Of course, you'll present your topic free form; not reading your abstract aloud.
Thank you for taking my course & good luck for your presentation!