Trust to Blockchain 2022 autumn
ICT Security Basics - from Trust to Blockchain - ICT4HM103-3004 - 2022 Autumn

Learn security fundamentals to understand current trends. Blockchains, TOR network and video conference encryption all stand on these fundamentals.

Excellent 4.9 out of 5 feedback.

Learning goals

In this course, you will

  • Learn fundamentals of computer security
  • See them in hands on exercises

In detail, you'll

  • Have an idea of computer security fundamentals (confidentiality, ...)
  • Can put infosec tools in perspective, and has tested some of these tools
  • Adversarial view - Can take attacker view (at least on a hypothetical level)
  • Can relate information security to real life impacts
  • Has had a look on some concurrent security tools and techniques

This course gives you grand overview of security principles and practice with tools implementing these principles. Even though you're expected to be able to install and configure programs and troubleshoot some errors, this is not my most technical course. If you want a demanding, hands on technical course with exploitation practice, pick Tunkeutumistaus (Penetration Testing ict4tn027-3003) in addition to this.

Agenda

I will keep updating the subjects, but you can write dates to your calendar right away.

Every class is on Thursday evening, 17:40 - 20:30. It's video conference trough Jitsi, mandatory participation.

You can keep your presentation any suitable day, even on week two. Email Tero to reserve a slot.

Date Subject
2022-10-27 w43 1. Organizing. Overview of the course. Fundamentals vs common attacks.
2022-11-03 w44 2. Hashes, passwords and cracking them.
2022-11-10 w45 3. Public key encryption and signing.
2022-11-17 w46 4. Bitcoin intro.
2022-11-24 w47 5. Bitcoin. Visitor: Miko Hirvelä: My Cryptomining Rig
2022-12-01 w48 6. Practical encryption techniques.
2022-12-08 w49 7. Modern applications.
2022-12-15 w50 8. Recap & last presentations.

Evaluation

Homeworks 70% and presentations 30%. Evaluation is based on totality of the skills and knowledge demonstrated.

Online classes require active participation.

(Haaga-Helia users should have free access to O'Reilly Learning aka Safari Online trough our library, even when they are marked with € below)

r1 Overview, concepts and fundamentals

r2 Blockchain to Cryptocurrency

r3 Offensive Views

r4 CIA Triad and Encryption

r5 Applications: Pseudonymity

r6 BitCoin and Crypto Currencies

Homework

Homework is official only after it's given in the class.

Homework is due 24 hours before next class starts. Return a link to Moodle.

Below are some preliminary ideas for homework. They are only official after given by teacher, as I will of course give homeworks based on what we actually talked about.

h1 adversarial mindset

z) Read and summarize. Some bullets is enough for a summary.

a) How would you compare Cyber Kill Chain and ATT&CK Enterprise matrix? Who do you think could benefit from these models? (Bonus: Do you think anything is missing from either of these models?)

b) Pick a security incident and learn about it. Write briefly about it. Point out the concepts of threat actor, exploit, vulnerability and (business) impact. (You can find writeups about security incidents from Darknet Diaries and Krebs)

c) Use either (Hutchins et al 2011) cyber kill chain or MITRE ATT&CK framework for analyzing the incident you used in a. You can pick any incident you want, but try to pick a source that gives you enough technical and business detail to do some analysis. (If you're in a hurry, cyber kill chain is much simpler. If you're technically skillful, you might find ATT&CK interesting)

d) Install Debian on Virtualbox. Report your work, including the environment (including host OS, the real physical computer used).

e) Accept course rules in Moodle, so that we can talk about practical exploits.

e) Voluntary bonus: What do you consider the fundamentals of security? What are the theoretical foundations you would teach on the first day?

Tips:

  • Some bullets for each article is enough. You don't need to have all content of the long articles in your summary.
  • For the summary, add your own question, idea or comment
  • Hutchins et. al. is the cyber kill chain paper.
  • Darknet diaries: pick any other episode but the last one, so you'll have a different episode from everyone else
  • To listen to podcasts on Android, you can use AntennaPod from F-Droid or Google Play
  • Refer to each source you've used: the course, the task given, the papers, the podcasts - all sources you've used. All sources must be mentioned in every document, page or blog using them. It's enough to just name and link them, you don't need to write another list in the end. In fact, it's imporant to know wich information comes from which source.
  • My article Install Debian on Virtualbox explains it pretty well. It's also possible to use Xubuntu Linux.
  • Got stuck with VirtualBox or Linux? Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class (and that's not all - you'll also get Linux on your virtual machine).

h2 hashes

You can practice cracking our own hashes here. Some of the material linked here also shows penetration testing techniques that can only be practiced in separated test networks, but these techniques are not taught here and not needed in the homework. (Safe ways to practice those more offensive techniques are teached in my course Penetration testing / Tunkeutumistestaus.)

You're only allowed to start password hash cracking task after accepting course rules in Moodle. Most have probably accepted them already a week ago.

z) Read and summarize (with some bullet points, feel free to concentrate on things you find interesting)

a) Install hashcat and test that it works.

b) Crack this hash: 21232f297a57a5a743894a0e4a801fc3

c) Crack this Windows NTLM hash: f2477a144dff4f216ab81f2ac3e3207d (Update: I added the tip that it's NTLM)

d) Try cracking this hash and comment on your hash rate $2y$18$axMtQ4N8j/NQVItQJed9uORfsUK667RAWfycwFMtDBD6zAo1Se2eu (Update: Crack this -> Try cracking this. I'm interested in your comments on the hash rate, no need to get the password).

e) Voluntary bonus: make hashcat work with your display adapter (GPU).

f) Voluntary bonus: create some hashes of your own, then crack them with hashcat.

g) Voluntary bonus hash. John the Ripper aka 'john' might also work here.

$ sudo grep elmik9 /etc/passwd /etc/shadow
/etc/passwd:elmik9:x:1003:1003:Elmeri "9" Elmik,,,:/home/elmik9:/bin/bash
/etc/shadow:elmik9:$1$xpRkwrhq$aXdu7HQirUmuTZW2m8OXs.:18401:0:99999:7:::

Tips:

  • You can likely get the paywalled books and videos for free with your Haaga-Helia account, trough Haaga-Helia library's A-Z Databases. This page has a lot of free goodies included in your Haaga-Helia student status.
  • Scheier's book is famous. It's pretty dense, if this was made by a Youtube influencer, you'd get three seasons of videos from the first couple of paragraphs.
  • 'sudo apt-get update', 'sudo apt-get install hashcat hashid micro'
  • In many tutorials, the hackers guess the type of the hash by comparing it to examples. I prefer using 'hashid -m feedd0c5', the right hash type is usually in top three, and the mode number (-m) is the same as the required -m parameter for hashcat.
  • You can use rockyou.txt or similar dictionary.
  • Some of the practical exercises can be challenging if you're new to the world of hacking. Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class. As these are the tools that actual hackers and pentesters use, they are more optimized to get the results than being the most beginner friendly.
  • Only test on practice data and practice targets. Follow the laws, never point any of these tools to production data or production systems.
  • If you're in another juristiction (not Finland), also check the local rules and laws before any pentest related practice.
  • Something to think about: we just learned that hashing is a one-way function. If this is true, why can you crack the hash and find out the original password?

h3 public key encryption and pgp

a) Read and summarize (with 1-5 bullet points for each heading)

b) Give two examples of public key cryptography (other than PGP). Explain how public keys are used here.

c) Encrypt and sign a message. Then decrypt and verify it. Use PGP to encrypt and sign messages.

d) Voluntary: Secrets with friends. Send a PGP message to your friend, and decrypt the reply.

e) Voluntary: Find the correct PGP key for Richard Stallman, the head of Free Software Foundation. Then find an incorrect, suspect or fake PGP key for Stallman. Why do you think one key is genuine and another is suspect?

f) Voluntary, programmers only: Cryptopals. Solve Set 1: Challenges 1-3. I highly recommend Cryptopals for learning to break cryptography.

Tips:

  • To encrypt with PGP, you can use GnuPG aka gpg (Linux: 'sudo apt-get install gpg', Windows gpg4win; I haven't tested the Windows version).
  • gpg --genkey; gpg --fingerprint; gpg --export --armor bob; gpg --import; gpg --encrypt --sign bob; gpg --decrypt;
  • To use PGP in your daily life, I recommend Thunderbird and Enigmail.

h4

In Finland, it's legal to use TOR at the time of writing. If you reside in another juristiction, laws might be different. Obviously, it's illegal to do illegal things in TOR, just like it's illegal to do illegal things anywhere. Only do legal things.

x) Read and summarize

a) Install TOR browser and access TOR network (.onion addresses). (Explain in detail how you installed it, and how you got access to TOR).

b) Browse TOR network, find, take screenshots and comment

  • search engine for onion sites
  • marketplace
  • fraud
  • forum

c) Find an example where anonymity of TOR user was compromized. How was it done? Who did it? Could the deanonymization be replicated?

d) What other pseudonymous/anonymous networks are there? What's their killer feature? How are they different from TOR?

e) In your own words, how does anonymity work in TOR? (e.g. how does it use: public keys, encryption, what algorithms?)

f) What kind of the treath models could TOR fit?

h5 BitCoin

v) Read/watch and summarize

x) Help a friend. Evaluate another report in Laksu.

a) Value of bit money. How much is one BitCoin (BTC) worth now? Using historical BTC course, show that you could have lost a lot of money investing in BTC. Also show that you could have won a lot of money with BTC.

b) Is it legal to own BitCoin in Finland? Why do you think so?

c) What's a block chain? Give a simple but detailed explanation. (Feel free to use the most narrow and simple definition of blockchain - no need to consider a whole cryptocurrency).

d) Not BitCoin. Give examples of some AltCoins, crypto currencies compiting with BitCoin. For each AltCoin: how does it differ, what's it's claim for fame?

f) Reserve your presentation by email to Tero if you have not given a presenation yet. (Updated. This is just for those who have not given a presentation yet. This subtask does not require performing any tests on a computer

g) Voluntary: Buy some BitCoin. If you're new to this, don't risk a lot of money.

h) Voluntary: When do you have to pay taxes for BitCoin in Finland? (If you want, you can instead check taxation in another country)

i) Voluntary: Describe a simple cryptocurrency (you can invent one yourself or use an existing toy example).

j) Voluntary: Secret or public? Find some transactions on a BitCoin account that is related to a case that has had publicity.

h6 Can of Worms

v) Read/watch and summarize

  • Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 2 (about 1,5 hours). Requires free registration. If you find it easy to follow, you can also optionally look at weeks 3 and four.

a) Can of worms. Run some malware in https://any.run web interface. What malware was that? How did it work? Take some screenshots, and explain what we see. Do you recognize any techniques or tactics? What did you learn? Do not download any malware samples to your own computer.

b) Reference implementation. Ever cop^H^H^Hlearned from StackOverflow? Pick a StackExchange site related to the course, sort questions by score, and briefly explain one question and answer. https://stackexchange.com/sites

c) Return your homework link to Laksu. Evaluate (at least) two other reports (for this task) in Laksu. Thanks for helpping your fellow students with your feedback! (This subtask of returning to Laksu does not need to be reported, it just needs to be done)

c) Voluntary. Cryptopals 1. Solve Cryptopals challenge set 1: tasks 1 "Convert hex to base64" to 4 "Detect single-character XOR". This task requires programming skills.

Tips:

  • Handling malware requires care.
    • This is the task you requested earlier in the course, and this is quite safe and easy way to do it.
    • Only use your browser to look at any.run's web interface, running malware on any.run's computers.
    • This task does not require downloading any malware samples to your computer.
    • If you want to learn malware analysis, HelSec and Disobey sometimes offer workshops on this. The ones I've participated have been very good.
  • Cryptopals
    • Do them in order, starting from the very first task.
    • When you solve the tasks, you'll learn the skills needed for harder tasks.
    • You can use any programming language
  • StackExchange sites
    • If you code, you probably know StackOverflow
    • Some good picks for this course are "Information Security" and "Bitcoint". Maybe also "Cryptography".
    • Can you find others?

h7 Final Countdown

Return to Laksu, like last time.

a) Find a block and a transaction in BitCoin public ledger and explain its key parts.

b) Return everything. Add links to each of your homework reports here.

c) References. Check that you are referring to all of your sources in each of your reports: course, homework task, books, videos, web pages, reports by other students, manuals.

d) Two. Evaluate and give feedback on two homework packages in Laksu.

Tips:

  • You can find examples of BitCoin blocks and transactions on multiple free web services, search for "bitcoin block explorer"
  • Two (evaluate two homework packages)
    • Comment each report, then add a summary on the end
    • Are all tasks answered? Were they all solved? If some tasks were not completely solved, does the answer try and report sensible approaces towards the solution?
    • Do the answers explain and analyze the question or the test?
    • For technical tasks done on a computer
      • Repeatable? Does the report describe environment (OS, software versions, download URLs..), commands given and results so that you could do the same thing on a computer? And get the same problems, and solve them the same way?
      • Is the end result tested?