Trust to Blockchain 2022 autumn
ICT Security Basics - from Trust to Blockchain - ICT4HM103-3004 - 2022 Autumn
Learn security fundamentals to understand current trends. Blockchains, TOR network and video conference encryption all stand on these fundamentals.
Excellent 4.9 out of 5 feedback.
|Course name and code||ICT Security Basics - from Trust to Blockchain - ICT4HM103-3004|
|Timing||2022 period 2 late autumn, w43-w50|
|Credits||5 cr (masters level)|
|Classes||Thu 17:40 - 20:30, online, mandatory participation|
|Remote||Yes, fully remote|
|Feedback||4.9 / 5 Excellent feedback|
|Services||Moodle: Trust to Blockchain, Jitsi, Laksu|
|First class||2022-10-27 w43 Thu 17:40, Tero has emailed Jitsi video conference link|
In this course, you will
- Learn fundamentals of computer security
- See them in hands on exercises
In detail, you'll
- Have an idea of computer security fundamentals (confidentiality, ...)
- Can put infosec tools in perspective, and has tested some of these tools
- Adversarial view - Can take attacker view (at least on a hypothetical level)
- Can relate information security to real life impacts
- Has had a look on some concurrent security tools and techniques
This course gives you grand overview of security principles and practice with tools implementing these principles. Even though you're expected to be able to install and configure programs and troubleshoot some errors, this is not my most technical course. If you want a demanding, hands on technical course with exploitation practice, pick Tunkeutumistaus (Penetration Testing ict4tn027-3003) in addition to this.
I will keep updating the subjects, but you can write dates to your calendar right away.
Every class is on Thursday evening, 17:40 - 20:30. It's video conference trough Jitsi, mandatory participation.
You can keep your presentation any suitable day, even on week two. Email Tero to reserve a slot.
|2022-10-27 w43||1. Organizing. Overview of the course. Fundamentals vs common attacks.|
|2022-11-03 w44||2. Hashes, passwords and cracking them. Alex: Endpoint security of Windows Servers in Azure.|
|2022-11-10 w45||3. Public key encryption and signing. Mariella: Certificates in Income Registry.|
|2022-11-17 w46||4. Bitcoin intro. Janne: Server patch management.|
|2022-11-24 w47||5. Bitcoin. Visitor: Miko Hirvelä: My Cryptomining Rig|
|2022-12-01 w48||6. Petteri: OSINT. Antti: Certificates I've used in big projects.|
|2022-12-08 w49||7. Helsec event (remote or in person*)|
|2022-12-15 w50||8. Olga: OWASP 10. Matti: Managing keys and secrets in Azure. Tomi: Starlink satelliittiyhteyden asennus ja testaus.|
- Remote or in person, you choose. Participation to Helsec events is free, but if in-person places run out, the rest can watch the video stream.
Homeworks 70% and presentations 30%. Evaluation is based on totality of the skills and knowledge demonstrated.
Online classes require active participation.
Literature and links
(Haaga-Helia users should have free access to O'Reilly Learning aka Safari Online trough our library, even when they are marked with € below)
r1 Overview, concepts and fundamentals
- OWASP 10 pdf, p 21-22: Note About Risks; Details About Risk Factors.
- Schneier 1999: Modeling security threats (Attack trees)
- Darknet Diaries . (You can find interesting security incidents here. It's hours and hours of material, so just have a look. To listen to podcasts on Android, you can use AntennaPod from F-Droid)
- Krebs on Security (It's a whole blog, so just have a look. You can find security incident writeups here)
- MITRE ATT&CK (Tactics, techniques and procedures. It's big, it's enough to just have a look. )
- Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (cyber kill chain)
r2 Blockchain to Cryptocurrency
Nakamoto, Satoshi 2008: Bitcoin: A Peer-to-Peer Electronic Cash System. (A colored HTML version. This is the paper that defined and introduced BitCoin. You can skip "11. Calculations" if you don't like sigma symbols. URL and email address on top of the paper seem unbeliveable and added by third party.
Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 1 (about 1 hour). Requires free registration. If you find it easy to follow, you can also optionally look at week 2 (1,5 h).
r3 Offensive Views
- Karvinen 2020: Remote Learning Tools for Tero's Courses: Install Virtual Xubuntu Linux
- Karvinen 2019: Install WebGoat PenTest Learning Tool on Ubuntu – with Docker (Make sure your address starts with "localhost" when you practice.
- Disobey 2020 Videos were just published. There are hours of videos, just have a look. Antti Virtanen: "I'm in your office" is an easy start.
- MitmProxy on Kali and Xubuntu – attack and testing
r4 CIA Triad and Encryption
- Schneier 2015: Applied Cryptography Chapter 1: Foundations €
- Curtin 1998: Snake Oil Warning Signs: Encryption Software to Avoid
r5 Applications: Pseudonymity
- Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser €
r6 BitCoin and Crypto Currencies
- Määttä et al 2020: Virtuaalivaluuttojen verotus VH/5083/00.01.00/2019. Previous version is available in English. Latest English version was not available in at the time of writing. This is a long document, only read the parts relevant to you.
Homework is official only after it's given in the class.
Homework is due 24 hours before next class starts. Return a link to Laksu.
Below are some preliminary ideas for homework. They are only official after given by teacher, as I will of course give homeworks based on what we actually talked about.
h1 Adversarial mindset
x) Read and summarize. Some bullets is enough for a summary.
- Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Update: Chapters Abstract, 3.2 Intrusion Kill Chain and 3.3 Courses of Action.
- Darknet Diaries. Pick one episode.
- MITRE ATT&CK FAQ explains the ATT&CK Enterprise Matrix. Explain tactic, technique and procedure in context of ATT&CK, and give an example of each. The enterprise matrix is big, you can just glimpse/browse it to see what's available instead of reading hundreds of pages.
a) How would you compare Cyber Kill Chain and ATT&CK Enterprise matrix? Who do you think could benefit from these models? (Bonus: Do you think anything is missing from either of these models?)
b) Update: Voluntary: Use either (Hutchins et al 2011) cyber kill chain or MITRE ATT&CK framework for analyzing the incident you of choosing. You can pick any incident you want, but try to pick a source that gives you enough technical and business detail to do some analysis. (If you're in a hurry, cyber kill chain is much simpler. If you're technically skillful, you might find ATT&CK interesting)
c) Install Debian on Virtualbox. Report your work, including the environment (including host OS, the real physical computer used).
d) Voluntary bonus: What do you consider the fundamentals of security? What are the theoretical foundations you would teach on the first day?
ps. You can give your presentation as soon as the next class. Just email Tero your subject.
- Some bullets for each article is enough. You don't need to have all content of the long articles in your summary.
- For the summary, add your own question, idea or comment
- Hutchins et. al. is the cyber kill chain paper.
- Darknet diaries: pick any other episode but the last one, so you'll have a different episode from everyone else
- To listen to podcasts on Android, you can use AntennaPod from F-Droid or Google Play
- Refer to each source you've used: the course, the task given, the papers, the podcasts - all sources you've used. All sources must be mentioned in every document, page or blog using them. It's enough to just name and link them, you don't need to write another list in the end. In fact, it's imporant to know wich information comes from which source.
- My article Install Debian on Virtualbox explains it pretty well.
- Got stuck with VirtualBox or Linux? Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class (and that's not all - you'll also get Linux on your virtual machine).
You can practice cracking our own hashes here. Some of the material linked here also shows penetration testing techniques that can only be practiced in separated test networks, but these techniques are not taught here and not needed in the homework. (Safe ways to practice those more offensive techniques are teached in Tero's course Penetration testing / Tunkeutumistestaus.)
You're only allowed to start password hash cracking task after accepting course rules in Moodle. Most have probably accepted them already a week ago.
x) Read and summarize (with some bullet points)
- € Schneier 2015: Applied Cryptography: Chapter 2 - Protocol Building Blocks: subchapters "2.3 One-way Fuctions" and "2.4 One-Way Hash Functions".
- Karvinen 2022: Cracking Passwords with Hashcat
- Karvinen 2020: Command Line Basics Revisited
- Voluntary bonus article: € Santos et al 2017: Security Penetration Testing - The Art of Hacking Series LiveLessons: Lesson 6: Hacking User Credentials (8 videos, about 30 min)
a) Install hashcat and test that it works.
b) Crack this hash: 21232f297a57a5a743894a0e4a801fc3
c) Crack this Windows NTLM hash: f2477a144dff4f216ab81f2ac3e3207d
d) Try cracking this hash and comment on your hash rate $2y$18$axMtQ4N8j/NQVItQJed9uORfsUK667RAWfycwFMtDBD6zAo1Se2eu . This subtask d does not require actually cracking the hash, just trying it and commenting on the hash rate.
e) Voluntary bonus: make hashcat work with your display adapter (GPU).
f) Voluntary bonus: create some hashes of your own, then crack them with hashcat.
g) Voluntary bonus hash. John the Ripper aka 'john' might also work here.
$ sudo grep elmik9 /etc/passwd /etc/shadow /etc/passwd:elmik9:x:1003:1003:Elmeri "9" Elmik,,,:/home/elmik9:/bin/bash /etc/shadow:elmik9:$1$xpRkwrhq$aXdu7HQirUmuTZW2m8OXs.:18401:0:99999:7:::
- You can likely get the paywalled books and videos for free with your Haaga-Helia account, trough Haaga-Helia library's A-Z Databases. This page has a lot of free goodies included in your Haaga-Helia student status.
- Scheier's book is famous. It's pretty dense, if this was made by a Youtube influencer, you'd get three seasons of videos from the first couple of paragraphs.
- 'sudo apt-get update', 'sudo apt-get install hashcat hashid micro bash-completion'
- In many tutorials, the hackers guess the type of the hash by comparing it to examples. I prefer using 'hashid -m feedd0c5', the right hash type is usually in top three, and the mode number (-m) is the same as the required -m parameter for hashcat.
- You can use rockyou.txt or similar dictionary.
- Some of the practical exercises can be challenging if you're new to the world of hacking. Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class. As these are the tools that actual hackers and pentesters use, they are more optimized to get the results than being the most beginner friendly.
- Only test on practice data and practice targets. Follow the laws, never point any of these tools to production data or production systems.
- If you're in another juristiction (not Finland), also check the local rules and laws before any pentest related practice.
- You can email Tero to reserve your presentation topic.
- Something to think about: we just learned that hashing is a one-way function. If this is true, why can you crack the hash and find out the original password?
h3 Public key
a) Read and summarize (with some bullet points)
- € Schneier 2015: Applied Cryptography:
- Chapter 1: Foundations:
- 1.1 Terminology
- 1.6 Computer Algorithms
- 1.7 Large Numbers
- Chapter 2 Protocol Building Blocks:
- 2.5 Communications Using Public-Key Cryptography: from start to end of "Hybrid Cryptosystems"
- 2.6 Digital Signatures:
- Digital Signature Trees [aka Merkle trees]
- Signing Documents with Public-Key Cryptography
- Chapter 1: Foundations:
b) Give two examples of public key cryptography (other than PGP). Explain how public keys are used here. (No hands-on tests required for this subtask)
c) Encrypt and sign a message. Then decrypt and verify it. Use PGP to encrypt and sign messages. (Do this hands on with a computer, and write the report while you're working).
d) Voluntary: Secrets with friends. Send a PGP message to your friend, and decrypt the reply.
e) Voluntary: Find the correct PGP key for Richard Stallman, the head of Free Software Foundation. Then find an incorrect, suspect or fake PGP key for Stallman. Why do you think one key is genuine and another is suspect?
f) Voluntary, programmers only: Cryptopals. Solve Set 1: Challenges 1-3. I highly recommend Cryptopals for learning to break cryptography.
- To encrypt with PGP, you can use GnuPG aka gpg (Linux: 'sudo apt-get install gpg', Windows gpg4win; I haven't tested the Windows version).
- gpg --genkey; gpg --fingerprint; gpg --export --armor bob; gpg --import; gpg --encrypt --sign bob; gpg --decrypt;
- To use PGP in your daily life, I recommend Thunderbird and Enigmail.
h4 BitCoin intro
x) Read/watch and summarize
- Nakamoto, Satoshi 2008: Bitcoin: A Peer-to-Peer Electronic Cash System. (A colored HTML version. This is the paper that defined and introduced BitCoin. You can skip "11. Calculations" if you don't like sigma symbols (or just read the code instead of maths if you're a coder). URL and email address on top of the website version seem unbeliveable and added by third party.
- Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 1 (about 1 hour). Requires free registration. If you find it easy to follow, you can also optionally look at week 2 (1,5 h).
a) Really Black Friday. How much is one BitCoin (BTC) worth now? Using historical BTC course, show that you could have lost a lot of money investing in BTC. Also show that you could have won a lot of money with BTC.
b) What's a block chain? Give a simple but detailed explanation. (Feel free to use the most narrow and simple definition of blockchain - no need to consider a whole cryptocurrency).
c) Not BitCoin. Give examples of some AltCoins, crypto currencies compiting with BitCoin. For each AltCoin: how does it differ, what's it's claim for fame?
h) Voluntary: Really black Friday. Buy some BitCoin - it's on discount. If you're new to this, don't risk a lot of money.
i) Voluntary: When do you have to pay taxes for BitCoin in Finland? (If you want, you can instead check taxation in another country)
j) Voluntary: Describe a simple cryptocurrency (you can invent one yourself or use an existing toy example).
k) Voluntary: Secret or public? Find some transactions on a BitCoin account that is related to a case that has had publicity.
h5 Detective CoinBit
x) Read/watch and summarize. (Some bullets is enough)
- Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 2 (about 1 hour 20 min). Requires free registration. If you find it easy to follow, you can also optionally look at week 3 which goes to detail about blocks and networks you had some questions about.
a) Detective Coinbit. Find and analyse a BitCoin transaction. Voluntary bonus: what else have the related parties done?
b) Dashboard of Doom. Look at and comment Miko Hirvelä's crypto mining dashboard. Explain the current state of cryptocurrency mining. Relate your explanation to Miko's presentation and dashboard. What possible scenarios do you see for cryptocurrencies in the future?
In Finland, it's legal to use TOR at the time of writing. If you reside in another juristiction, laws might be different. Obviously, it's illegal to do illegal things in TOR, just like it's illegal to do illegal things anywhere. Only do legal things.
If you reside in a juristiction where using TOR is illegal, you obviously can't install it and do the related tasks. For those cases, alternative task is: based on literature only (no hands on tests, no installation), compare anonymous/pseudonymous networks, such as TOR, I2P, Freenet and others. How do their goals, technology and other features differ? How are they similar?
x) Read and summarize (briefly, e.g. with some bullets)
- Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser €; subchapters: "Introduction", "History and Intended Use of The Onion Router", "How The Onion Router Works", "Tracking Criminals Using TOR".
a) Install TOR browser and access TOR network (.onion addresses). (Explain in detail how you installed it, and how you got access to TOR).
b) Browse TOR network, find, take screenshots and comment
- search engine for onion sites
c) In your own words, how does anonymity work in TOR? (e.g. how does it use: public keys, encryption, what algorithms?)
d) What kind of the treath models could TOR fit?
- Be cautious: don't trust anonymous sites, don't enter your name or other personal details anywhere.
- OPSEC is hard, any single tool will not magically make you untraceable.
- Shavers & Bair book is available for free using your HH credentials and Haaga-Helia A-Z page.
a) Summarize one HelSec presentation.