Information Security 2023 Autumn
Data security course, in English as you asked.
Understand adversarial view on security. Recognize key concepts of security. Be able to safely practice hands-on with security tools.
Course name and code: | Information Security ICI002AS2AE-3003 |
Timing | 2023 period 1, early autumn, w34-w41 |
Credits | 5 cr |
Classes | Mondays 08:15 - 13:45, in Pasila pa5001 |
Max students | 30 |
Language | English |
Type | Contact, in physical classroom, mandatory participation [as requested] |
Feedback | 4.2 - 4.6 / 5 Excellent feedback * |
Services | Moodle, Laksu |
First class | 2023-08-21 w34 Monday 08:15, classroom pa5001, physically present with your laptop |
* Feedback average of each course instance: from 4.2 "good" to 4.6 "excellent", including the same course under the name Data Security from the previous curriculum. I'm giving other security courses, too. Penetration testing (challenging course in Finnish) has reached excellent 5.0 /5, with every participant giving feedback and each feedback being 5. And Master level (YAMK) Trust to Blockchain has gotten to excellent 4.9 /5.
Agenda
Eight security Mondays in Pasila, at 08:15 in pa5001. All classes require active participation.
I changed this course to contact (physically in the class) as requested in the feedback.
Date | Theme |
---|---|
2023-08-21 w34 Mon | 1. Organizing. Fundamentals. Practice environments. |
2023-08-28 w35 Mon | 2. Web security. |
2023-09-04 w36 Mon | 3. Threath modeling. Cyber kill chain and a bit of ATT&CK. |
2023-09-11 w37 Mon | 4. Encryption. Asymmetric vs symmetric. Pia: Social Engineering. |
2023-09-18 w38 Mon | 5. Eleonora: Passwords. Password hashing. Cracking hashes. |
2023-09-25 w39 Mon | 6. Applied. Valtteri: Tor. Darknet exercise. Summary. |
2023-10-02 w40 Mon | 7. Presentations. Yanli. Le: DDoS. Tuukka. Abrar. Tuan. Emilio: Cicada 3301. Marissa: Pegasus. Rolando: Race conditions. |
2023-10-09 w41 Mon | 8. Presentations. Rodrigo: OPSEC and the criminal world. Elias: Behaviors and Attitudes with cybersecurity. Ibrahim: Security flaws in IoT. Aly: Hardware security keys. Márk: Hacking the Xbox. Preshika: Zero Trust Security Model. Renne: Fuzzing and Debugging. |
There will likely be updates to the contents of the classes as the course advances.
Goals
After completing this course, you will
- Understand adversarial view on security
- Recognize key concepts of security
- Be able to safely practice hands-on with security tools
Hands-on exercises will emphasize environments fully controlled by you, using free open source software in your possession.
Assessment
- Active participation in classes
- Homework (66%)
- Presentation (33%)
Evaluation of the course is based on totality of the work presented.
Previous courses
This is the first instance of Information Security. But check out my similar course from previous curriculum, Data Security:
- Information Security 2023 Spring
- Data Security ICT4TF022-3008, 2022 early spring
- Data Security 2022 ict4tf022-3009, 2022 early autumn
Feedback
Thanks already! Your feedback is very important to me. I will read it all (twice+) and make improvements. Please give your feedback to two channels.
1) Free form feedback as a comment on this page
Write your comment on this page.
You can write what ever you want. No need to repeat the questions, but they are here to get you started.
- Did you learn something? Do you now know something you did not know before the course? (Models, frameworks, ideas, tools?)
- Did you do something for the first time? (Broke passwords, broke into web service, create treath models, used password manager, encrypted messages? Used some technique or a tool for the first time?)
- Is this useful? Are these skills useful in companies?
- How did you like the presentations? Interesting subject? Did you like presenting? Useful information? Actionable?
- How did you like comments and feedback? Did you get answers to your questions? (from classmates, teacher; to your homework, presentations)
- Feelings: did you enjoy the course?
- How could I improve the course? (I can make almost any change here, if it's important)
- Would you recommend the course? Have you already recommended it? Who would benefit from the course (a colleague, a fellow student)?
2) Numeric feedback to Haaga-Helia feedback system (Peppi)
1-worst, 5-best
- Your active participation in studies
- Achieving the learning goals
- The study methods supported learning
- The study environment supported learning
- Benefits to your career
Open, you can copy the same answer you gave earlier
- What promoted your learning?
- How would you develop the implementation / group of implementations further so that the learning goals could be achieved better?
Your overall assessment of the implementation, 1-worst, 5-best
How likely would you recommend the course to your fellow students? 1-worst, 10-best.
Thank you for your feedback, and thank you for our course!
Optional: Keep up with Linux & security, join Tero's list. (And get invitations to visitors on security)
See you in my future courses!
Homework
Homeworks are done with a computer and reported at the same time. If some task does not require performing tests with a computer, it's specied writing.
Each homework is returned
- 24 h before start of next lecture
- you can publish your homework report in any website you like
- return a link to Laksu
- cross-evaluate two other homeworks
To save everyone's time, I will remove those from the course who don't return homework.
Github is a convenient place to publish your reports, others are Gitlab and Wordpress.com. I highly recommend publishing your work, it seems to help getting job offers. But if you don't dare or want to publish, you can put your web page behind a password (e.g. in Wordpress.com, same password for all reports), and share this password with your group.
The homeworks are official after they are given in the class. Don't start them before, because they might change.
h1 First steps
Become a hacker, step 0
Start the homework only after you've accepted the rules in course Moodle.
- x) Read (or listen) and summarize. (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary)
- Any episode from Darknet Diaries Podcast.
- Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, chapters Abstract, 3.2 Intrusion Kill Chain and 3.3 Courses of Action
- b) Bookworm. Install Debian 12-Bullseye virtual machine in VirtualBox. (See also: Karvinen 2021: Install Debian on VirtualBox)
- o) Voluntary bonus: My fundaments. What do you consider the fundamentals of security? What would you teach the first day?
- q) Voluntary multi-week bonus, requires programming: Ptacek et al: Cryptopals.
Tips:
- AntennaPod is convenient Android program for listening podcasts. It's available in F-Droid and Google Play. Of course, there are hundreds if not thousands other programs for podcasts, too.
- Pick any episode. Check descriptions, and pick one that's likely to be suitable here.
- Why are these tasks just the right level? To prepare you for learning hacker skills in this course.
- Why are these tasks so hard? => See below, "If you get stuck".
- Why are these tasks so easy? => Because you've practiced before, good for you. Also do voluntary bonus tasks above for some challenge and development. Still too easy? Contact me for special arrangements, I want you to spend your time efficiently.
- In "Read and summarize":
- read first, then summarize
- summarize key content
- not just headings
- don't just describe the article, tell the main things it says
- add a question, an idea or a comment of your own to each article
- Yes, you're expected to read the friendly manuals, Google/Duck, and try multiple approaches
- Refer & link any sources you use
- Course / the classes
- Homework assingments
- Homework reports by other students
- Any web pages
- Manuals, Articles, Man pages...
- Referencing your sources is required
- When reporting tests on a computer
- Write while you work
- Save often
- Explain why
- Have some screenshots
- If some command output is very long, only quote relevant parts (if you want, you can put the long text as an appendix or behind a link)
- If you get stuck
- Don't worry: Computers are cranky, that's why they pay hackers well
- Solve and report all parts you can do
- Return your partial report in time
- Google/Duck. That's what the pros do, too. Write down a reference to the sources you used.
- If you need to look at a walktrough (an exact solution to this homework, task or flag), clearly mark where you needed it.
- Solve the trouble part as far as you can. Report all approaches taken.
- Ask about the challenges in the class, likely someone else had the same thing
- Bandit uses SSH. In Linux, that's 'ssh tero@example.com', and it might also work in new Windowses. For older Windowses, you can also use Putty SSH.
- Read my (Tero's) articles on how to install Debian before you start
- To see some example solutions for homeworks, Google/Duck my name + course name, e.g. "Tero Karvinen Penetration Testing" without the quotes.
h2 Spiderwebs
Remember to keep it safe, legal and ethical. Especially if you grasp OWASP 10, you still can't try these to machines you don't own. You can only start doing the excercises after accepting course rules in Moodle.
- x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
- a) Goat. Install webgoat.
- b) F12. Solve Webgoat 8: General: Developer tools.
- c) Not outdated. Update all operating system and all applications in your Linux.
- d) Sequel. Solve SQLZoo:
- 0 SELECT basics
- 2 SELECT from World, from first two subtasks.
- e) Johnny tables. Solve Portswigger Labs: Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- m) Voluntary bonus: WebGoat: SQL Injection
- n) Voluntary bonus: solve some Portswigger labs marked as Apprentice (easy level)
- o) Voluntary multi-week bonus, requires programming: Ptacek et al: Cryptopals.
Tips:
- If you get stuck
- F12 Developer tools: I'm using Firefox F12. But it probably works on Chromium, too.
- You can update all software in Linux with
- Open terminal
- 'sudo apt-get update'
- 'sudo apt-get dist-upgrade'
- If this is your first full upgrade, reboot (it's only needed for kernel upgrades)
- SQLZoo
- If you've got a lot of experience with databases already and SQLZoo is too easy, you can instead install a relational database (Postgre, Mariadb...) and show CRUD operations using command line client and SQL.
- Yes, I think they really run your queries on database management system
- In SQL, you can often write long numbers in engineering notation, nine zeroes after two as 2e9 instead of 2000000000
- Johnny tables
- You only need your browser (even though the official example solution uses a paid tool by the makers of the lab)
- Try different places. But if you're completely out of options: peek the solution, apply it to use just browser (no mitm proxy needed), mention in your report the hints used - and try to explain how the solution works.
- WebGoat
- What kind of quotes did SQL have?
- If you raise everyone's salaries, are you the richest anymore?
- The names here are the same as in OWASP 10 2021 and OWASP 10 2017.
- In injections, it's nice to know:
- SQL string delimiter (single quote, aphostrophe) "'" (end of user input, start of my hostile injection)
- SQL comment (double dash) "--" (end of my evil injection, you can ignore the rest, dear database management system)
- There are many ways to do SQL injection
- b) Injected. Solve WebGoat:
- A1 Injection (intro)
h3 Should Tero wear a helmet?
- x) Read / watch and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
- Braiterman et al 2020: Threat modeling manifesto
- Shostack 2022: Welcome to the Worlds Shortest Threat Modeling Course (12 parts, about 15 min total, audio is enough for all except video 7 "Data flow diagrams")
- Shostack 2014: Chapter 1 - Dive In and Threat Model! €
- OWASP CheatSheets Series Team 2021: Threat Modeling Cheat Sheet
- a) Security hygiene. What basic security practices should everyone follow? Are there some security hygiene practicies that you consider useful, but might be above an average Joe? (This subtask does not require tests with a computer. A bullet list is enough)
- b) Make-belief boogie-man - a threat model for imaginary company.
- This subtask does not require tests with a computer.
- A long, extensive answer with narrative, analysis and a diagram is expected.
- Create an imaginary company and create threat model.
- Business requirements come from business, technical specialist help with tech. Inlude this in your narrative.
- Your analysis should cover all parts of the four question model (four key questions in Threat modeling manifesto)
- (1) What are we working on?
- Our assets
- Priorization, key assets
- E.g. customer health data is a crown jevel, personel gaming server is probably not
- Security supports business
- Draw a diagram of the company systems
- Write a description.
- Our assets
- (2) What can go wrong?
- Apply one or more named models: Attack trees, STRIDE, ATT&CK...
- Give some examples of identified risks - you don't need to find all risks or likely vulnerabilites, as there would be too many for this homework.
- Priorize biggest risks
- High expected value (or other very high risk)
- Expected value = probability * monetary value
- Expected value is a tool for discussion, it's not exact science as we have to guestimate the input numbers
- Are you targetted by specific threat actors?
- Known TTPs? (tactics, techniques, procedures)
- COI - Capability, Opportunity, Intent
- Apply one or more named models: Attack trees, STRIDE, ATT&CK...
- (3) What are we going to do about it?
- Can you: reduce attack surface, limit entry points...
- Reduce, transfer, avoid, accept
- (4) Did we do a good enough job?
- Security audits, pentests, assesments, continous threat modeling and evaluation
- (1) What are we working on?
Tips:
- O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough Haaga-Helia library A-Z page.
h4 ETAOIN
- x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
- € Schneier 2015: Applied Cryptography: Chapter 1: Foundations
- y) Find out frequency distribution of letters for a language that you know (other than English). What are the six most common letters? (This subtask y does not require tests with a computer if the question can be answered without them)
- z) Choose a password manager. Explain:
- What threats does it protect against?
- What information is encrypted, what's not?
- What's the license? How would you describe license's effects or categorize it?
- Where is the data stored? If in "the cloud", which country / juristiction / which companies? If on local disk, where?
- How is the data protected?
- (This subtask z does not require tests with a computer).
- a) ETAOIN. When asked to come up with encryption scheme in the class, almost everyone described a variation of a simple substitution chipher. As requested, now it's time to attack your own scheme! Crack this ciphertext:
- HDMH'B TH. KWU'YI AWR WSSTOTMJJK M OWQINYIMLIY! MB KWU BII, BTGPJI BUNBHTHUHTWA OTPDIYB OMA NI NYWLIA RTHD SYIEUIAOK MAMJKBTB. BII KWU MH DHHP://HIYWLMYCTAIA.OWG
- b) Demonstrate the use of a password manager.
- c) Encrypt and decrypt a message. Explain the purpose of each step. Explain why you choose the tool you're using. (You can use any tool you want. You must do and report the encryption at the same time, it's not enough to try to remember what we did in the class. )
- m) Voluntary bonus: send and receive encrypted message over email.
- n) Voluntary bonus, easy: try rot13, the military grade top-secret encryption of the top-2 empire of year zero. Could double rot13 provide extra security?
- o) Voluntary difficult bonus, requries coding skills: Cryptopals (recommended, if you have what it takes).
Tips:
- Frequency distributions for most languages can be found in search engines and probably Wikipedia
- Some examples of password managers include 'pass' (https://www.passwordstore.org/) and KeePassXC. There are also many others.
- ETAOIN
- This challenge can be solved with pen and paper, no coder skills required. (Like most things, it's faster with a computer, though.)
- Just like this course, the cleartext is in English
- Looking at word lengths and spaces, this ciphertext is likely using a simple substitution cipher.
- Use your eyes - can you identify possible common words or parts of them?
- After ruling out Caesar (e.g. rot13), we can use frequency analysis
- Most common letter in English is E, the second most common is T... The frequency table is ETAOIN shrdlu.
- Frequency is about statistics and probability. It's not guaranteed that E is the most common, it's just likely. Especially short texts make statistical analysis less efficient.
- It's much more likely that most common letters are from ETAOIN than the from the least frequent j, x or z.
- Use your sisu
- If first guess does not crack it, try another one.
- Make notes as you work.
- Document your approaches and how far you can get, even if you couldn't crack the whole thing.
- O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough Haaga-Helia library A-Z page.
h4 September2023!
You will learn about two key vectors for initial compromize: passwords and phising.
- x) Read or watch and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
- € Schneier 2015: Applied Cryptography: 2.3 One-Way Functions and 2.4 One-Way Hash Functions.
- Särökaari 2018: Phishing trough email (video, 33 min)
- a) Install Hashcat. Test it with a sample hash. See Karvinen 2022: Cracking Passwords with Hashcat
- b) Crack this hash: 8eb8e307a6d649bc7fb51443a06a216f
- c) Gone phising. Create a phising email. In addition to the email, you must explain your tactics and the scennario where the phising email is used. (This subtasks does not require tests with a computer).
- m) Voluntary: Compile John the Ripper, Jumbo version. Karvinen 2023: Crack File Password With John.
- n) Voluntary: Crack a zip file password
- o) Voluntary: create a password protected file other than ZIP. Crack the password. How many formats can you handle?
Tips:
- Gone Phising
- Communication starts with the audience in mind
- What kind of organization and person is the target?
- You can come up with a fictional org and person
- What is the goal of the mail?
- What tactics are you using?
- Technical
- Psychological (e.g. Cialdini...)
- You can explain any technical parts of the attack, but no actual code and no macros are needed here.
- Don't actually send your email anywhere, just include it in your report
- Do you feel that the email passes the common sense test?
- Communication starts with the audience in mind
- O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough Haaga-Helia library A-Z page.
h5. A. Nynomous
In Finland, it's legal to use TOR at the time of writing. If you reside in another juristiction, laws might be different. Obviously, it's illegal to do illegal things in TOR, just like it's illegal to do illegal things anywhere. Only do legal things.
If you are currently in a juristiction where using TOR is illegal, you obviously can't install it and do the related tasks. For those cases, alternative task is: based on literature only (no hands on tests, no installation), compare anonymous/pseudonymous networks, such as TOR, I2P, Freenet and others. How do their goals, technology and other features differ? How are they similar?
x) Read and summarize (briefly, e.g. with some bullets)
- Quintin 2014: 7 Things You Should Know About Tor
- Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser €; subchapters: "Introduction", "History and Intended Use of The Onion Router", "How The Onion Router Works", "Tracking Criminals Using TOR".
a) Install TOR browser and access TOR network (.onion addresses). (Explain in detail how you installed it, and how you got access to TOR).
b) Browse TOR network, find, take screenshots and comment
- search engine for onion sites
- marketplace
- forum
- a site for a well known organization that has a physical street address in the real world
c) Voluntary or alternative task: You can do this task in place of a and b. Install a darknet browser other than TOR, such as I2P or Freenet. Search, screenshot and describe examples of contents there.
Tips
- Alternatives for installing TOR
- https://www.torproject.org/download/ (probably easiest)
- sudo apt-get update; sudo apt-get install torbrowser-launcher
- https://tails.net/
- https://www.whonix.org/
- OPSEC is hard, any single tool will not magically make you untraceable
- Be cautious: don't trust anonymous sites, don't enter your name or other personal details anywhere.
- O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough Haaga-Helia library A-Z page.
h6. Final countdown
- x) All reports. List link to each of your homework reports. (This subtask does not require tests with a computer).
- y) Presentation cross evaluation. Return cross evaluation of presentation to Moodle (This subtask does not require tests on a computer, and not even a report. Just return the current version of cross evaluation [presentations day 1]. You can later update it to include presenations day 2.)
- a) Firewall. Install a firewall on Linux and block all ports you don't need to be open.
- b) Ssherver. Install OpenSSH server and connect to it.
- c) Voluntary: Pubkey. Automate SSH login with public key authentication.
- d) Voluntary: Explain how public keys and encryption were used in subtasks b and c (This subtask does not require tests with a computer.
Do want to join free hacking presentations, like Social-Riku? Join my mailing list for up-to-date info.
Tips:
- Always use good passwords. Never practice with bad passwords. If you have a bad password on your computer, you can fix it with 'passwd' (as the user) or 'sudo passwd jurpo' (as superuser, on behalf of user jurpo).
- SSH execercise is similar to what was demonstrated and discussed in the class.
- The commands below are written from memory, so who knows if they have any typoos.
- I'm giving you pretty useful commands here. Your report should test them on a computer and explain what they do. Manual pages can help understanding them, e.g. 'man systemctl'.
- sudo apt-get update; sudo apt-get install ufw; sudo ufw allow 22/tcp; sudo ufw enable
- sudo apt-get install ssh; sudo systemctl start ssh
- whoami; ssh tero@localhost; exit
- sudo adduser matti # always use good passwords, never use bad passwords
- ssh-keygen; ssh-copy-id tero@localhost
Adminstrivia
I will keep updating this page during and after the course.