Trust to Blockchain 2022 autumn
ICT Security Basics - from Trust to Blockchain - ICT4HM103-3004 - 2022 Autumn

Learn security fundamentals to understand current trends. Blockchains, TOR network and video conference encryption all stand on these fundamentals.

Excellent 4.9 out of 5 feedback.

Course name and code ICT Security Basics - from Trust to Blockchain - ICT4HM103-3004
Timing 2022 period 2 late autumn, w43-w50
Credits 5 cr (masters level)
Classes Thu 17:40 - 20:30, online, mandatory participation
Max students 30
Language English
Remote Yes, fully remote
Feedback 4.9 / 5 Excellent feedback Five star experience
Services Moodle: Trust to Blockchain, Jitsi, Laksu
First class 2022-10-27 w43 Thu 17:40, Tero has emailed Jitsi video conference link

Learning goals

In this course, you will

  • Learn fundamentals of computer security
  • See them in hands on exercises

In detail, you'll

  • Have an idea of computer security fundamentals (confidentiality, ...)
  • Can put infosec tools in perspective, and has tested some of these tools
  • Adversarial view - Can take attacker view (at least on a hypothetical level)
  • Can relate information security to real life impacts
  • Has had a look on some concurrent security tools and techniques

This course gives you grand overview of security principles and practice with tools implementing these principles. Even though you're expected to be able to install and configure programs and troubleshoot some errors, this is not my most technical course. If you want a demanding, hands on technical course with exploitation practice, pick Tunkeutumistaus (Penetration Testing ict4tn027-3003) in addition to this.

Agenda

I will keep updating the subjects, but you can write dates to your calendar right away.

Every class is on Thursday evening, 17:40 - 20:30. It's video conference trough Jitsi, mandatory participation.

You can keep your presentation any suitable day, even on week two. Email Tero to reserve a slot.

Date Subject
2022-10-27 w43 1. Organizing. Overview of the course. Fundamentals vs common attacks.
2022-11-03 w44 2. Hashes, passwords and cracking them. Alex: Endpoint security of Windows Servers in Azure.
2022-11-10 w45 3. Public key encryption and signing. Mariella: Certificates in Income Registry.
2022-11-17 w46 4. Bitcoin intro. Janne: Server patch management.
2022-11-24 w47 5. Bitcoin. Visitor: Miko Hirvelä: My Cryptomining Rig
2022-12-01 w48 6. Petteri: OSINT. Antti: Certificates I've used in big projects.
2022-12-08 w49 7. Helsec event (remote or in person*)
2022-12-15 w50 8. Olga: OWASP 10. Matti: Managing keys and secrets in Azure. Tomi: Starlink satelliittiyhteyden asennus ja testaus.
  • Remote or in person, you choose. Participation to Helsec events is free, but if in-person places run out, the rest can watch the video stream.

Evaluation

Homeworks 70% and presentations 30%. Evaluation is based on totality of the skills and knowledge demonstrated.

Online classes require active participation.

(Haaga-Helia users should have free access to O'Reilly Learning aka Safari Online trough our library, even when they are marked with € below)

r1 Overview, concepts and fundamentals

r2 Blockchain to Cryptocurrency

r3 Offensive Views

r4 CIA Triad and Encryption

r5 Applications: Pseudonymity

r6 BitCoin and Crypto Currencies

Homework

Homework is official only after it's given in the class.

Homework is due 24 hours before next class starts. Return a link to Laksu.

Below are some preliminary ideas for homework. They are only official after given by teacher, as I will of course give homeworks based on what we actually talked about.

h1 Adversarial mindset

x) Read and summarize. Some bullets is enough for a summary.

a) How would you compare Cyber Kill Chain and ATT&CK Enterprise matrix? Who do you think could benefit from these models? (Bonus: Do you think anything is missing from either of these models?)

b) Update: Voluntary: Use either (Hutchins et al 2011) cyber kill chain or MITRE ATT&CK framework for analyzing the incident you of choosing. You can pick any incident you want, but try to pick a source that gives you enough technical and business detail to do some analysis. (If you're in a hurry, cyber kill chain is much simpler. If you're technically skillful, you might find ATT&CK interesting)

c) Install Debian on Virtualbox. Report your work, including the environment (including host OS, the real physical computer used).

d) Voluntary bonus: What do you consider the fundamentals of security? What are the theoretical foundations you would teach on the first day?

ps. You can give your presentation as soon as the next class. Just email Tero your subject.

Tips:

  • Some bullets for each article is enough. You don't need to have all content of the long articles in your summary.
  • For the summary, add your own question, idea or comment
  • Hutchins et. al. is the cyber kill chain paper.
  • Darknet diaries: pick any other episode but the last one, so you'll have a different episode from everyone else
  • To listen to podcasts on Android, you can use AntennaPod from F-Droid or Google Play
  • Refer to each source you've used: the course, the task given, the papers, the podcasts - all sources you've used. All sources must be mentioned in every document, page or blog using them. It's enough to just name and link them, you don't need to write another list in the end. In fact, it's imporant to know wich information comes from which source.
  • My article Install Debian on Virtualbox explains it pretty well.
  • Got stuck with VirtualBox or Linux? Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class (and that's not all - you'll also get Linux on your virtual machine).

h2 Hashes

You can practice cracking our own hashes here. Some of the material linked here also shows penetration testing techniques that can only be practiced in separated test networks, but these techniques are not taught here and not needed in the homework. (Safe ways to practice those more offensive techniques are teached in Tero's course Penetration testing / Tunkeutumistestaus.)

You're only allowed to start password hash cracking task after accepting course rules in Moodle. Most have probably accepted them already a week ago.

x) Read and summarize (with some bullet points)

a) Install hashcat and test that it works.

b) Crack this hash: 21232f297a57a5a743894a0e4a801fc3

c) Crack this Windows NTLM hash: f2477a144dff4f216ab81f2ac3e3207d

d) Try cracking this hash and comment on your hash rate $2y$18$axMtQ4N8j/NQVItQJed9uORfsUK667RAWfycwFMtDBD6zAo1Se2eu . This subtask d does not require actually cracking the hash, just trying it and commenting on the hash rate.

e) Voluntary bonus: make hashcat work with your display adapter (GPU).

f) Voluntary bonus: create some hashes of your own, then crack them with hashcat.

g) Voluntary bonus hash. John the Ripper aka 'john' might also work here.

$ sudo grep elmik9 /etc/passwd /etc/shadow
/etc/passwd:elmik9:x:1003:1003:Elmeri "9" Elmik,,,:/home/elmik9:/bin/bash
/etc/shadow:elmik9:$1$xpRkwrhq$aXdu7HQirUmuTZW2m8OXs.:18401:0:99999:7:::

Tips:

  • You can likely get the paywalled books and videos for free with your Haaga-Helia account, trough Haaga-Helia library's A-Z Databases. This page has a lot of free goodies included in your Haaga-Helia student status.
  • Scheier's book is famous. It's pretty dense, if this was made by a Youtube influencer, you'd get three seasons of videos from the first couple of paragraphs.
  • 'sudo apt-get update', 'sudo apt-get install hashcat hashid micro bash-completion'
  • In many tutorials, the hackers guess the type of the hash by comparing it to examples. I prefer using 'hashid -m feedd0c5', the right hash type is usually in top three, and the mode number (-m) is the same as the required -m parameter for hashcat.
  • You can use rockyou.txt or similar dictionary.
  • Some of the practical exercises can be challenging if you're new to the world of hacking. Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class. As these are the tools that actual hackers and pentesters use, they are more optimized to get the results than being the most beginner friendly.
  • Only test on practice data and practice targets. Follow the laws, never point any of these tools to production data or production systems.
  • If you're in another juristiction (not Finland), also check the local rules and laws before any pentest related practice.
  • You can email Tero to reserve your presentation topic.
  • Something to think about: we just learned that hashing is a one-way function. If this is true, why can you crack the hash and find out the original password?

h3 Public key

a) Read and summarize (with some bullet points)

  • € Schneier 2015: Applied Cryptography:
    • Chapter 1: Foundations:
      • 1.1 Terminology
      • 1.6 Computer Algorithms
      • 1.7 Large Numbers
    • Chapter 2 Protocol Building Blocks:
      • 2.5 Communications Using Public-Key Cryptography: from start to end of "Hybrid Cryptosystems"
      • 2.6 Digital Signatures:
        • Digital Signature Trees [aka Merkle trees]
        • Signing Documents with Public-Key Cryptography

b) Give two examples of public key cryptography (other than PGP). Explain how public keys are used here. (No hands-on tests required for this subtask)

c) Encrypt and sign a message. Then decrypt and verify it. Use PGP to encrypt and sign messages. (Do this hands on with a computer, and write the report while you're working).

d) Voluntary: Secrets with friends. Send a PGP message to your friend, and decrypt the reply.

e) Voluntary: Find the correct PGP key for Richard Stallman, the head of Free Software Foundation. Then find an incorrect, suspect or fake PGP key for Stallman. Why do you think one key is genuine and another is suspect?

f) Voluntary, programmers only: Cryptopals. Solve Set 1: Challenges 1-3. I highly recommend Cryptopals for learning to break cryptography.

Tips:

  • To encrypt with PGP, you can use GnuPG aka gpg (Linux: 'sudo apt-get install gpg', Windows gpg4win; I haven't tested the Windows version).
  • gpg --genkey; gpg --fingerprint; gpg --export --armor bob; gpg --import; gpg --encrypt --sign bob; gpg --decrypt;
  • To use PGP in your daily life, I recommend Thunderbird and Enigmail.

h4 BitCoin intro

x) Read/watch and summarize

  • Nakamoto, Satoshi 2008: Bitcoin: A Peer-to-Peer Electronic Cash System. (A colored HTML version. This is the paper that defined and introduced BitCoin. You can skip "11. Calculations" if you don't like sigma symbols (or just read the code instead of maths if you're a coder). URL and email address on top of the website version seem unbeliveable and added by third party.
  • Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 1 (about 1 hour). Requires free registration. If you find it easy to follow, you can also optionally look at week 2 (1,5 h).

a) Really Black Friday. How much is one BitCoin (BTC) worth now? Using historical BTC course, show that you could have lost a lot of money investing in BTC. Also show that you could have won a lot of money with BTC.

b) What's a block chain? Give a simple but detailed explanation. (Feel free to use the most narrow and simple definition of blockchain - no need to consider a whole cryptocurrency).

c) Not BitCoin. Give examples of some AltCoins, crypto currencies compiting with BitCoin. For each AltCoin: how does it differ, what's it's claim for fame?

h) Voluntary: Really black Friday. Buy some BitCoin - it's on discount. If you're new to this, don't risk a lot of money.

i) Voluntary: When do you have to pay taxes for BitCoin in Finland? (If you want, you can instead check taxation in another country)

j) Voluntary: Describe a simple cryptocurrency (you can invent one yourself or use an existing toy example).

k) Voluntary: Secret or public? Find some transactions on a BitCoin account that is related to a case that has had publicity.

h5 Detective CoinBit

x) Read/watch and summarize. (Some bullets is enough)

  • Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 2 (about 1 hour 20 min). Requires free registration. If you find it easy to follow, you can also optionally look at week 3 which goes to detail about blocks and networks you had some questions about.

a) Detective Coinbit. Find and analyse a BitCoin transaction. Voluntary bonus: what else have the related parties done?

b) Dashboard of Doom. Look at and comment Miko Hirvelä's crypto mining dashboard. Explain the current state of cryptocurrency mining. Relate your explanation to Miko's presentation and dashboard. What possible scenarios do you see for cryptocurrencies in the future?

h6 Onion

In Finland, it's legal to use TOR at the time of writing. If you reside in another juristiction, laws might be different. Obviously, it's illegal to do illegal things in TOR, just like it's illegal to do illegal things anywhere. Only do legal things.

If you reside in a juristiction where using TOR is illegal, you obviously can't install it and do the related tasks. For those cases, alternative task is: based on literature only (no hands on tests, no installation), compare anonymous/pseudonymous networks, such as TOR, I2P, Freenet and others. How do their goals, technology and other features differ? How are they similar?

x) Read and summarize (briefly, e.g. with some bullets)

a) Install TOR browser and access TOR network (.onion addresses). (Explain in detail how you installed it, and how you got access to TOR).

b) Browse TOR network, find, take screenshots and comment

  • search engine for onion sites
  • marketplace
  • fraud
  • forum

c) In your own words, how does anonymity work in TOR? (e.g. how does it use: public keys, encryption, what algorithms?)

d) What kind of the treath models could TOR fit?

Tips:

  • Be cautious: don't trust anonymous sites, don't enter your name or other personal details anywhere.
  • OPSEC is hard, any single tool will not magically make you untraceable.
  • Shavers & Bair book is available for free using your HH credentials and Haaga-Helia A-Z page.

h7 HelSec

a) Summarize one HelSec presentation.