Data Security 2022
ict4tf022-3009

Data security course, in English as you asked.

Understand adversarial view on security. Recognize key concepts of security. Be able to safely practice hands-on with security tools.

Course name and code: Data Security ICT4TF022-3008
Timing 2022 period 1, early autumn, w34-w41
Credits 5 cr
Classes Wednesdays 08:15 - 13:45, online, mandatory participation
Max students 30 - Enroll 2021-11-29 w48 Monday at 08:00.
Language English
Remote Yes, fully remote
Feedback 4.6 / 5 Excellent feedback Five star experience
Services Moodle, Jitsi, Laksu
First class 2022-08-24 w34 Wed 08:15, Tero already emailed video conference link

I'm giving other security courses, too. Penetration testing (challenging course in Finnish) has reached 5.0 /5, with every participant giving feedback. And Master level (YAMK) Trust to Blockchain got 4.9 /5.

Agenda

All classes are online.

You can already write down the dates into your calendar. This course is going trough a major upgrade, so the subjects in this agenda will keep updating.

Date Subject
w34 Organazing. Fundamentals. Practice environments.
w35 Web security. Cyber kill chain.
w36 Threath modeling. ATT&CK.
w37 Recon. Practice environments.
w38 Encryption.
w39 Presentations. Noora: Network Segmentation. Kris: Steganography, hiding secrets in plain sight. Hanna: OSINT, open source intelligence. Andrei: Rolling my own crypto with Python. Zeeshan: Managing secrets with Vault. Jukka: Carbanak. Saranga: Data Masking.
w40 Presentations. Timo: Password managers. Le: Create Your Own Cipher Using Javascript. Ramona: ZeuS, stealing your Windows banking and passwords. Georgii: Social Engineering.
w41 Passwords and hashes (if we have the time). Recap.

Goals

After completing this course, you will

  • Understand adversarial view on security
  • Recognize key concepts of security
  • Be able to safely practice hands-on with security tools

Hands-on exercises will emphasize environments fully controlled by you, using free open source software in your possession.

Assessment

  • Active participation in classes
  • Homework (66%)
  • Presentation (33%)

Evaluation of the course is based on totality of the work presented.

Feedback

Thanks already! Your feedback is very important to me. I will read it all (twice+) and make improvements. Please give your feedback to two channels.

1) Free form feedback as a comment on this page

Write your comment on this page.

You can write what ever you want. No need to repeat the questions, but they are here to get you started.

  • Did you learn something? Do you now know something you did not know before the course? (Models, frameworks, ideas, tools?)
  • Did you do something for the first time? (Break web protections with Webgoat, capture traffic, plan attacks? Used some technique or a tool for the first time?)
  • Is this useful? Are these skills useful in companies?
  • How did you like the presentations? Interesting subject? Did you like presenting? Useful information? Actionable?
  • Feelings: did you enjoy the course?
  • How could I improve the course? (I can make almost any change here, if it's important)
  • Would you recommend the course? Have you already recommended it? Who would benefit from the course (a colleague, a fellow student)?

2) Numeric feedback to Haaga-Helia feedback system (Peppi)

Feedback in MyNet (Peppi)

1-worst, 5-best

  • Your active participation in studies
  • Achieving the learning goals
  • The study methods supported learning
  • The study environment supported learning
  • Benefits to your career

Open, you can copy the same answer you gave earlier

  • What promoted your learning?
  • How would you develop the implementation / group of implementations further so that the learning goals could be achieved better?

Your overall assessment of the implementation, 1-worst, 5-best

How likely would you recommend the course to your fellow students? 1-worst, 10-best.

Thank you for your feedback, and thank you for our course!

Optional: Keep up with Linux & security, join Tero's list. (And get invitations to visitors on security)

See you in my future courses!

Homeworks

Homeworks are done with a computer and reported at the same time. If some task does not require performing tests with a computer, it's specied writing.

Each homework is returned

  • 24 h before start of next lecture
  • you can publish your homework report in any website you like
  • return a link to Laksu
  • cross-evaluate two other homeworks

To save everyone's time, I will remove those from the course who don't return homework.

Wordpress.com is a very easy place to publish reports. Github is nice if you already know git version control and MarkDown. I highly recommend publishing your work, it seems to help getting job offers. But if you don't dare or want to publish, you can put your web page behind a password (same password for all reports), and share this password with your group.

The homeworks are official after they are given in the class. Don't start them before, because they might change.

h1

Become a hacker, step 0

Start the homework only after you've accepted the rules in course Moodle.

Tips:

  • Why are these tasks just the right level? To prepare you for learning hacker skills in this course.
  • Why are these tasks so hard? => See below, "If you get stuck".
  • Why are these tasks so easy? => Because you've practiced before, good for you. Also do voluntary bonus tasks above for some challenge and development. Still too easy? Contact me for special arrangements, I want you to spend your time efficiently.
  • In "Read and summarize":
    • read first, then summarize
    • summarize key content, not just headings
    • add a question, an idea or a comment of your own to each article
  • Yes, you're expected to read the friendly manuals, Google/Duck, and try multiple approaches
  • Refer & link any sources you use
    • Course / the classes
    • Homework assingments
    • Homework reports by other students
    • Any web pages
    • Manuals, Articles, Man pages...
  • When reporting tests on a computer
    • Write while you work
    • Save often
    • Explain why
    • Have some screenshots
    • If some command output is very long, only quote relevant parts (if you want, you can put the long text as an appendix or behind a link)
  • If you get stuck
    • Don't worry: Computers are cranky, that's why they pay hackers well
    • Solve and report all parts you can do
    • Return your partial report in time
    • Google/Duck. That's what the pros do, too. Write down a reference to the sources you used.
    • If you need to look at a walktrough (an exact solution to this homework, task or flag), clearly mark where you needed it.
    • Solve the trouble part as far as you can. Report all approaches taken.
    • Ask about the challenges in the class, likely someone else had the same thing
  • Bandit uses SSH. In Linux, that's 'ssh tero@example.com', and it might also work in new Windowses. For older Windowses, you can also use Putty SSH.
  • Read my (Tero's) articles on how to install Debian & WebGoat before you start
  • To see some example solutions for homeworks, Google/Duck my name + course name, e.g. "Tero Karvinen Penetration Testing" without the quotes.
  • Be safe: in this homework, only attacks you perform are to webgoat running on the localhost of your own computer

h2

Oh, wasp!

Remember to keep it safe, legal and ethical. Especially if you grasp OWASP 10, you still can't try these to machines you don't own.

  • x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
  • a) Sequel. Solve SQLZoo:
    • 0 SELECT basics
    • 2 SELECT from World
  • b) Injected. Solve WebGoat:
    • A1 Injection (intro)
  • m) Voluntary bonus: Pick your tasks from SQLZoo 1, 3-9.
  • n) Voluntary difficult bonus: WebGoat: SQL Injection (advanced).
  • o) Voluntary difficult bonus: Install a relational database, show CRUD operations using SQL
  • q) Voluntary difficult bonus: Demonstrate aggregate functions (SUM, COUNT) with your own data you created in the previous step.
  • p) Voluntary difficult bonus: Install a practice target for SQL injections, exploit it.
  • r) Voluntary difficult bonus: Demonstrate JOIN with your own database

Tips:

  • Pick a CVE:
    • You can get inspiration from CVETrends or many other CVE sites.
    • Or straight from the horse's mouth: Mitre: CVE and @CVEnew in Twitter.
    • You can check Hacker News, Twitter or general news sites for CVEs that are notorius.
    • If you stumbled upon a super complicated CVE and can't understand what it even means, pick a simpler one.
  • Darknet diaries
    • Yes, I know it's great podcast. A good choice to get up to speed with famous security incidents.
    • AntennaPod is convenient Android program for listening podcasts. It's available in F-Droid and Google Play. Of course, there are hundreds if not thousands other programs for podcasts, too.
    • Pick any episode. Check descriptions, and pick one that's likely to be suitable here.
    • What did you learn? Point out threat actors, exploits, vulnerabilities and impact. How could defenders mitigate the attack better? How could the attackers improve their attack?
    • If you pick an episode that's not the last one, you're more likely to pick an episode that's not the same one everyone else picked.
  • SQLZoo
    • If you've got a lot of experience with databases already and SQLZoo is too easy, you can do the difficult voluntary bonus instead "Install relational database, show..."
    • Yes, I think they really run your queries on database management system
  • WebGoat
    • What kind of quotes did SQL have?
    • If you raise everyone's salaries, are you the richest anymore?
    • The names here are the same as in OWASP 10 2021 and OWASP 10 2017.
    • In injections, it's nice to know:
      • SQL string delimiter (single quote, aphostrophe) "'" (end of user input, start of my hostile injection)
      • SQL comment (double dash) "--" (end of my evil injection, you can ignore the rest, dear database management system)
      • There are many ways to do SQL injection

h3

Tricks, Tips and Playbooks

  • x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
    • Mitre 2022: ATT&CK Enterprise Matrix
      • You can just read part of it required for this task, as it's a large text.
      • Give examples of a single, easy technique in each tactic. Which is the easiest?
      • Explain technique, subtechnique, tactic, group and software. Give example of each.
      • Describe a group (a brief description is enough, no need to repeat all steps listed)
    • OWASP: Cross Site Scripting (XSS)
  • y) Cross Site Story. Write a short story or draw a comic of a cross site scripting attack. Make roles clear: who attacks? Who runs, what code, where? What unauthorized access is gained? (This subtask y does not require any tests with a computer.).
  • a) Webgoat: A3 Sensitive data exposure
    • Insecure Login: 2 Let's try
  • b) Webgoat: A7 Cross Site Scripting (XSS): Cross site scripting
    • 2 What is XSS?
    • 7 Try It! Reflected XSS

Tips

  • XSS, cross site scripting. Think how this is used to actually break somewhere. The story helps you to consider the real attack, not just alert(document.cookie).
  • ATT&CK FAQ can help with concepts
  • Insecure login: Sniffer is more realistic than F12 here, so consider 'wireshark', "tshark -i any -V -Y 'http.request.method == POST'" or 'sudo ngrep -d lo assword'.
  • A7:2017 Cross Site Scripting: JavaScript bookmarklets no longer work by default in most browsers. So use F12 Console to run JavaScriptin your browser. Cross Site Scripting: script tags. "Try It! Reflected XSS" is done, when the top sign turns green, even if the text says "Well done, but ... Please continue.".

h4

intelligence gap

Be careful with the tools. Only use tools to practice targets inside practice networks separated from the internet. Just port scanning someone else's computer might be a crime, KKO 2003:36. Be careful with IP addresses. If you install Kali, don't run random tools when your computer is connected to the Internet

  • x) Read (or watch or listen) and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)

  • a) My networks. Add a new vboxnet internal network to your VirtualBox (File: Host Network Manager...)

  • b) Punchbag. Install Metasploitable 2 practice target on Virtual Box, and only connect it to your new virtual network. Login to Metasploitable 2 and find out its IP address.

  • c) Hero arrives. Connect the Linux computer you've been using to the same network (e.g. Debian 11-bullseye).

  • d) Hello sploitable! Open the website on Metasploitable 2 (from your main VM, e.g. Debian). If you can't open the expected website, you're not looking at the correct computer, don't run any scans or any similar tests.

  • e) Explain 2. Port scan Metasploitable 2. Analyze two ports in detail. You can pick the ports yourself. Make sure you only port scan the correct computer. Disconnect your host computer from the Internet as needed.

  • f) Refer. Verify that each of your homework reports mentions every source you've used. Each should include a reference to this task/question page. And every manual page, document, report and video you've used for this task.

  • g) Voluntary: Scanalyses. Port scan Metasploitable 2. Analyze the results. This is a big task: explain all you can understand from the results. Is there something untypical for a server publicly visible on the Internet? Do you think some services could be especially vulnerable, a good start for the initial foothold? You explation should take the main part of your answer. Make sure you only port scan the correct computer. Disconnect your host computer from the Internet as needed.

  • h) Volunteer task: it's raining shells. Break into Metasploitable 2. As an added bonus, do it using multiple methods. Only do this using methods you're able to use safely, so that attacks only target Metasploitable 2 practice target.

Tips:

  • O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough Haaga-Helia library A-Z page.
  • Practice target Metasploitable 2 should never be visible to real internet - as it's very easy to break into it.
  • You can log into Metasploitable 2 with user name "msfadmin" and password "msfadmin". If the screen is black, you can click it and press enter.
  • IP address is shown with 'hostname -I', 'ip a' or 'ifconfig'
  • Private (non-routable) IPv4 addresses start with 127.x.x.x, 172.16.x.x, 10.x.x.x. or 192.168.x.x Check that Metasploitable IP address is in one of these. Note that your local production network might use the same addresses for something important, especially at work.
  • To connect your attack VM (e.g. Debian Bullseye) to your test network: shut down the VM, add another virtual network card (connected to virtual network vboxnetN).
  • Metasploitable 2 has a web server in default port. The address is just http and the IP address. If the IP address of Metasploitable 2 was 192.168.43.21, then you should see the web server at http://192.168.43.21. The front page shows a large "metasploitable2" text, and the text "Never expose this VM to an untrusted network". If you don't see this, you're not looking at the right computer, don't scan it.
  • Nmap is the leading port scanner. You can only use it on practice targets on practice networks.
  • 'sudo nmap localhost' scans top 1000 ports
  • 'sudo nmap -v -A -p- localhost -oA myscan' # -v is verbose; -p- scans all tcp ports; -A (aaand kitchen sink) runs scripts, does OS fingerprint, is very loud; -oA myscan save all output formats in current directory with names starting with myscan.
  • You can watch nmap work using 'wireshark' network sniffer.
  • You can get example solutions for this and similar tasks by seaching for karvinen metasploitable 2 or karvinen metasploitable 2 install.

h5

  • x) Read (or watch or listen) and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
  • a) Presentation material. Write down synopsis and key points of your presentation. Add some references. If you're using slides, feel free to link the PDF here in addition to synopsis.
  • b) Encrypt and decrypt a message using a tool of your choosing. Comment on the tool and the process.

Tips:

  • Presentations start next week
    • Audience: your classmates. (What would you like to hear?)
    • 10 min - 15 min
    • Tero publishes the schedule on this web page
    • Reserve your presentation topic by emailing ope @ this domain
    • The butler did it! Put the main thing first. Audience must understand "what's in it for me". If you're doing a demo, it's often a good idea to start it right away.
  • O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough Haaga-Helia library A-Z page.
  • Of course you will not be reading your presentation plan word for word, but it will help your audience to conctrate when they don't have to write a lot of notes when you speak).
  • Who is Bruce Schneier? Might want to check his blog, too.

h6

Free ticket

  • x) All reports. Add links to each homework report. If you have produced any other material in the course, link that too. (this subtask does not require tests with a computer)
  • y) Check your references. In all your homework reports each page, each homework must list all of it's sources. Remember to refer to all of your sources, such as course, task page, reports from other students, manuals, web pages, man pages, conferences... Any direct quotes must be marked as such. You can use quotes, blockquote or similar for this. (this subtask does not require tests with a computer)
  • x) Read (or watch or listen) and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
    • A security conference presentation. (This is about 1 hour of video for typical conferences)
  • a) Voluntary, recommended: add a link to your reports as a comment to this page. You might raise in Google, and might also get other people to refer to your work.

Tips:

  • You can pick one big name conference (Black Hat, RSA conference, HOPE, Disobey) or one you've never heard of
  • You can find many security conferences in Youtube, legally, for free, uploaded by conference organizers
  • A lot more conferences in https://infocondb.org/con/
  • There are some conferences in O'Reilly Learning (former Safari), too
  • Remember, no online class on w10. We'll meet on w11 for the final round of presentations, and then it's important to be present.
  • The goal of this task is to familiarize you with security conferences; learn how to view them without travelling to the other side of the planet and paying an expensive ticket; and prepare you to keep yourself up to date after the course ends.

h7

Science, delivered

  • w) Read and summarize: Karvinen 2021: Find Academic Sources
  • x) Journal. Read and summarize a peer reviewed scholary journal article. You are allowed to base your summary on partial reading of the article in this task, just mention in the report if you read the whole thing or skimmed. Mention the JUFO level of the journal.
  • y) Alert. Create a search that finds you scientific articles in an area of security that interests you. For example, the area you're planning to do your thesis on. Create an alert that delivers you email when new science is published.

Tips:

  • https://scholar.google.com
    • Disable citations (popular books) and patents
    • The free fulltext link is on the right
    • They also have "Alert" feature
  • Check that Journal's JUFO level is 1, 2 or 3.
  • Okular is a nice PDF reading program

Adminstrivia

This page keeps updating.

Shield icon is part of Clarity icons by VMWare 2018, received under MIT license.