Trust to Blockchain 2023 autumn
ICT Security Basics - from Trust to Blockchain - ICT4HM103-3005 - 2023 Autumn

Learn security fundamentals to understand current trends. Blockchains, TOR network and video conference encryption all stand on these fundamentals.

Excellent 4.9 out of 5 feedback.

Course name and codeICT Security Basics - from Trust to Blockchain - ICT4HM103-3005
Timing2023 period 2 late autumn, w43-w50
Credits5 cr (masters level)
ClassesThu 17:40 - 20:30, online, mandatory participation
Max students30
LanguageEnglish
RemoteYes, fully remote
Feedback4.9 / 5 * Excellent feedback Five star experience
ServicesMoodle: Trust to Blockchain, Jitsi, Laksu. Voluntary extra: Tero's list.
First class2023-10-26 w43 Thu 17:40, Tero Jitsi video conference link is in Moodle

* Best feedback 4.9/5 excellent, lowest 4.3/5 good.

Learning goals

In this course, you will

  • Learn fundamentals of computer security
  • See them in hands on exercises

In detail, you'll

  • Have an idea of computer security fundamentals (confidentiality, ...)
  • Can put infosec tools in perspective, and have tested some of these tools
  • Adversarial view - Can take attacker view (at least on a hypothetical level)
  • Can relate information security to real life impacts
  • Has had a look on some concurrent security tools and techniques

This course gives you grand overview of security principles and practice with tools implementing these principles. Even though you're expected to be able to install and configure programs and troubleshoot some errors, this is not my most technical course. If you want a demanding, hands on ethical hacking course, pick Tunkeutumistaus (Penetration Testing) in addition to this.

Photo shows Mika Hirvelä's cryptomining rig, photo by Hirvelä.

Agenda

I will keep updating the subjects, but you can write dates to your calendar right away.

Every class is on Thursday evening, 17:40 - 20:30. It's video conference trough Jitsi, mandatory participation.

You can keep your presentation any suitable day, even on week two. Email Tero to reserve a slot.

DateSubject
2023-10-26 w43 Thu1. Welcome words. Overview of the course. 19:15 Helsec event, live stream on Twitch*. Elias Alanko: What the BEC II - Invoice fraud and how it is done in the corporate world. Carolina Angelis: Espionage and the human factor.
2023-11-02 w44 Thu2. Fundamentals. Threat model. (We can have first presentation here)
2023-11-09 w45 Thu3. Treath modeling, fundamentals. Current crime case example. Ekaterina: End-to-end encryption on social media platforms.
2023-11-16 w46 Thu4. Antti: Secure software development on present days. Hashes, passwords and cracking them. Jani: Distributed denial of service.
2023-11-23 w47 Thu5. Public key encryption and signing. Bitcoin intro.
2023-11-30 w48 Thu6. Bitcoin. Presentations. Vanuhi. Riikka: Security concerns of low code platforms.
2023-12-07 w49 Thu7. Modern applications. Eeva: Microsoft Defender for Business. Mauri: Tempest - eavesdropping your wires wirelessly. Antti: Cybersecurity in Finland 2023. Markus: Supply Chain Attacks.
2023-12-14 w50 Thu8. Jouni: Data Center Security. Luis: Phising. Dimitar: Zero Trust Security Model. Madhuka: API security. Giorgi: Augmented Reality & It's Implication on Modern World. Kim: ISO27001. Samuli: Kubernetes - security challenges of container orchestration.

* Live stream is online and fits everyone. If you got a ticket, you can also participate in Crowne Plaza.

Last time we had a couple of presentations every class, starting from second week. It worked great, I hope you reserve your slots early. You can present in any class, the earlier the better.

Evaluation

Homeworks 70% and presentations 30%. Evaluation is based on totality of the skills and knowledge demonstrated.

Online classes require active participation. No tapes are provided.

(Haaga-Helia users should have free access to O'Reilly Learning aka Safari Online trough our library, even when they are marked with € below)

r1 Overview, concepts and fundamentals

r2 Blockchain to Cryptocurrency

r3 Offensive Views

r4 CIA Triad and Encryption

r5 Applications: Pseudonymity

r6 BitCoin and Crypto Currencies

Give Feedback, please

Thanks already! It's important for me to get feedback from every single participant.

I will read it all (twice+) and make improvements. Please give your feedback to two channels: comment & mynet.

1) Free form feedback as a comment on this page

  1. Write your comment on this page.

You can write whatever you want. No need to repeat the questions, but they are here to get you started.

  • Did you learn something? Do you now know something you did not know before the course? (Models, frameworks, ideas, tools?)
  • Did you do something for the first time? (Used some technique or a tool for the first time?)
  • Is this useful? Are these skills and this knowledge useful in companies or your work?
  • How did you like the presentations? Interesting subject? Did you like presenting? Commenting presentations?
  • Did you find homework useful? Interesting? Challenging enough?
  • Feelings: did you enjoy the course? Did you like the atmosphere in the classes?
  • How could I improve the course? (I can make almost any change here, if it's important)
  • Would you recommend the course? Have you already recommended it? Who would benefit from the course (a colleague, a fellow student)?

2) Numeric feedback to Haaga-Helia feedback system (MyNet / Peppi)

  1. Feedback in MyNet (Peppi)

1-worst, 5-best

  • Your active participation in studies
  • Achieving the learning goals
  • The study methods supported learning
  • The study environment supported learning
  • Benefits to your career

Open, you can copy the same answer you gave earlier

  • What promoted your learning?
  • How would you develop the implementation / group of implementations further so that the learning goals could be achieved better?

Your overall assessment of the implementation, 1-worst, 5-best

How likely would you recommend the course to your fellow students? 1-worst, 10-best.

Thank you for your feedback, and thank you for our course!

Optional: Keep up with Linux & security, join Tero's list. (And get invitations to visitors on security)

See you in my future courses!

Homework

Homework is due 24 hours before next class starts. Return a link to Laksu and evaluate two.

Homeworks are done with a computer and reported at the same time. If some task does not require performing tests with a computer, it's specied writing in the subtask.

Each homework is returned

  • 24 h before start of next lecture
  • you can publish your homework report in any website you like
  • return a link to Laksu
  • cross-evaluate two other homeworks

To save everyone's time, I will remove those from the course who don't return homework.

Github is a convenient place to publish your reports, others are Gitlab and Wordpress.com. I highly recommend publishing your work. But if you don't dare or want to publish, you can put your web page behind a password (e.g. in Wordpress.com, same password for all reports), and share this password with your group. Or use a pseudonym or an alias.

All sources must be refered to: this task page, classes, reports from your classmates, classmate presentations, man pages, the article you found...

Returned link must open the report directly. For example, return link to your "h1-helsec.md", not the front page of your website. Web page must directly open in web browser, so it must be HTML. (Github will automatically convert your Markdown to HTML). Other formats are not accepted (no docx, no pdf, no odx, no xlsx...).

AI and large language models (LLM): You can ask AI or LLM a question and use the answer as facts for your own answer, written in your own words. AI must be marked as a reference, with details such as prompt (and for advanced users system prompts, temperature, jailbreaks...). LLMs tend to hallucinate, so you should check answers from more reliable sources. It's not allowed to generate text with AI or similar technologies. For example, it's not allowed to generate essay answers or summaries with AI, LLM or similar technologies.

The homeworks are official after they are given in the class. Don't start them before, because they might change. I will of course give homeworks based on what we actually talked about.

h0 hello

This exercise is the first, easy step towards version control systems. Even though you're just clicking buttons on the website, it uses world leading tool git in the background. Git even uses a tree of hashes of blocks, just like Bitcoin.

  • a) Create a web page using Github. Return it to Laksu, and cross evaluate two.

Tips

  • Read this first: Karvinen 2023: Create a Web Page Using Github
  • Write the page in Markdown. Add headings and paragraphs.
  • Browse to the page where you can see your new page normally (headings in bigger text than paragraphs). The correct link to return is shown in your browsers address bar.
  • Remember to use md suffix, so that the website knows it's Markdown. E.g. "tero.md".
  • Normally, the cross evaluation has free form feedback: good, bad, ideas for improvement, tips... But for this h0, there is not much to comment and one sentence is enough. If you can see a page with paragraph and heading, it's a five. (For the rest of the course, in feedback for actual homework (h1, h2...), your classmates will surely appreciate longer and insightful feedback).

h1 HelSec

You can only start tasks after accepting course rules in Moodle, as tasks from b on have offensive (hacking) exercises.

  • a) Helsec presentation. Listen, summarize and analyse one HelSec presentation. Connect the themes to your own experience, work or additional literature. Point out open questions or your own analysis. (This subtask does not require tests with a computer.) Helsec video stream twitch.tv/helsec , schedule
  • b) Gandalf. Make Gandalf tell you the password. How far can you go? https://gandalf.lakera.ai/
  • c) So what, Gandalf? What does hacking Gandalf tell you about AI security? Is there a bigger picture here? Can you find sources that discuss this problem? (This subtask does not require tests with a computer)

Tips

  • Presentation
    • Show your own thinking when writing about the presentation. Feel free to bring in ideas from outside the presentation. A summary is not enough, and probably would not entertain your professional / hacker brain enough anyway.
    • If some force majeure makes it impossible to watch Helsec stream (e.g. stream goes permanently down), you can choose a full lenght presentation from a pre-recorded security conference in Youtube. For example Disobey, RSA conference, Blackhat... Or an earlier HelSec presentation. But if Helsec live stream works, we'll use that.
  • Gandalf
    • This is the first hacking task
    • Report
      • every step you took (and why you chose this step)
      • the result
      • your analysis of the result
    • Your report should be repeatable, so that given the exact same circumstances, another person could get the same errors and fix them the same way
    • Technical reporting is also a technique for solving challenging problems. You'll learn more about this aspect later in the course.
    • Of course there are walktroughs in the net. Don't look at them yet!
    • How far could you go by yourself? At minimun, passing one level is accepted for this task.
    • If you get stuck and have to look at walktrough, mark where it happened and refer to the source
  • Is it just a game
    • Can you link Gandalf to bigger picture? Business impacts? Security of large language models in general?

h2 Crown Jewels and Bad Guys

You'll start your own little lab by installing a virtual Linux. You'll read the paper on cyber kill chain. And you'll build a threat model, a key tool for deciding what security is needed.

  • x) Read and summarize. Some bullets is enough for a summary. Add your own views, and make it clear which part is yours and which part is from the article. What does it mean to me / my line of work? Can I link it to my experience and other cases I know?

  • a) Make-belief boogie-man. Create a treath model for imaginary company.

    • This subtask does not require tests with a computer.
    • Narrative answer with analysis and a diagram is expected.
    • Create an imaginary company and create threat model.
    • Business requirements come from business, technical specialist help with tech. Inlude this in your narrative.
    • Your analysis should cover all parts of the four question model (four key questions in Threat modeling manifesto)
    • Limit the size of your work. A full blown enterprise analyzed from A to Z is too big here, so select interesting parts to show and practice your threat modeling skills.

  • b) Incident analyses. Use (Hutchins et al 2011) cyber kill chain framework for analyzing security incident you of choosing. You can pick any incident you want, but try to pick a source that gives you enough technical and business detail to do some analysis. (This task requires choosing a specific security incident and finding information about it) (Voluntary bonus: if you want to go all techie, feel free to use Mitre ATT&CK model)

  • c) Starting a lab. Install Debian on Virtualbox. Report your work step by steps while you're working. Also report the environment (including host OS, the real physical computer used).

  • d) Voluntary bonus: What do you consider the fundamentals of security? What are the theoretical foundations you would teach on the first day?

ps. Feel free to email Tero your subject. It's nice to have the presentations early in the course.

Tips:

  • Some bullets for each article is enough. You don't need to have all content of the long articles in your summary.
  • For the summary, add your own questions, ideas or comments
  • Hutchins et. al. is the cyber kill chain paper.
  • Threat modeling
    • (1) What are we working on?
      • Our assets
        • Priorization, key assets
        • E.g. customer health data is a crown jevel, personel gaming server is probably not
      • Security supports business
      • Draw a diagram of the company systems
      • Write a description.
    • (2) What can go wrong?
      • Bad guys - what are they going to do?
      • Apply one or more named models: Attack trees, STRIDE, ATT&CK...
        • Give some examples of identified risks - you don't need to find all risks or likely vulnerabilites, as there would be too many for this homework.
      • Priorize biggest risks
        • High expected value (or other very high risk)
        • Expected value = probability * monetary value
        • Expected value is a tool for discussion, it's not exact science as we have to guestimate the input numbers
      • Are you targetted by specific threat actors?
        • Known TTPs? (tactics, techniques, procedures)
        • COI - Capability, Opportunity, Intent
    • (3) What are we going to do about it?
      • Can you: reduce attack surface, limit entry points...
      • Reduce, transfer, avoid, accept
    • (4) Did we do a good enough job?
      • Security audits, pentests, assesments, continous threat modeling and evaluation
  • For reporting technical tasks (e.g. Debian installation)
    • Write report at the same time you do the work
    • Report each step
      • What you did and why
      • What do the parts of the command mean (e.g. 'fobarize --xyzzy -asdf 23.bar' needs each flag explained)
      • What happened (and relevant parts of command output)
      • What does it mean
      • Test the end result, if possible
    • Also report environment, OS, host OS, hardware, versions of software used
    • Add sensible number of screenshots
  • Refer to each source you've used: the course, the task given, the papers, the podcasts - all sources you've used. All sources must be mentioned in every document, page or blog using them. It's enough to just name and link them, you don't need to write another list in the end. In fact, it's imporant to know wich information comes from which source.
  • Got stuck with VirtualBox or Linux? Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class (and that's not all - you'll also get Linux on your virtual machine).
  • O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough Haaga-Helia library A-Z page.

h3 Hashes

This week, you'll learn about hashes. They identify files, make it possible to not store a password and still check that it's correct. But they are also the very thing that connects the blocks in a blockchain. For attackers, cracking the hashes is often a key step for lateral movement, gaining a larger foothold in target network after initial access.

You can practice cracking our own hashes here. Some of the material linked here also shows penetration testing techniques that can only be practiced in separated test networks, but these techniques are not taught here and not needed in the homework. Safe ways to practice those more offensive techniques are taught in Tero's course Penetration testing / Tunkeutumistestaus. You're only allowed to start password hash cracking task after accepting course rules in Moodle. Most have probably accepted them already a week ago.

x) Read and summarize (with some bullet points)

a) Billion dollar busywork. Command 'echo -n 'Tero'|sha256sum' prints hash "ba2addbf481bdf4a0178cbf5608e681cb9af519d85fe4d51efe88a4eed9673ed". Try adding something to the string, e.g. 'echo -n 'Tero asdf'|sha256sum'. What do you have to add to get a hash that starts with a zero? (Voluntary bonus: How is this related to Bitcoin? Voluntary difficult bonus: How many zeros can you get to the beginning?)

b) Compare hash. Create a small text file. Take it's hash (e.g. 'sha256sum tero.txt'). Change one letter. Take the hash again. Compare hashes. What do you notice?

b) Install hashcat and test that it works.

c) Crack this hash: 21232f297a57a5a743894a0e4a801fc3

d) Crack this Windows NTLM hash: f2477a144dff4f216ab81f2ac3e3207d

e) Try cracking this hash and comment on your hash rate $2y$18$axMtQ4N8j/NQVItQJed9uORfsUK667RAWfycwFMtDBD6zAo1Se2eu . This subtask d does not require actually cracking the hash, just trying it and commenting on the hash rate.

m) Voluntary bonus: make hashcat work with your display adapter (GPU).

n) Voluntary bonus: create some hashes of your own, then crack them with hashcat.

o) Voluntary bonus hash. John the Ripper aka 'john' might also work here.

$ sudo grep elmik9 /etc/passwd /etc/shadow
/etc/passwd:elmik9:x:1003:1003:Elmeri "9" Elmik,,,:/home/elmik9:/bin/bash
/etc/shadow:elmik9:$1$xpRkwrhq$aXdu7HQirUmuTZW2m8OXs.:18401:0:99999:7:::

Tips:

  • You can likely get the paywalled books and videos for free with your Haaga-Helia account, trough Haaga-Helia library's A-Z Databases. This page has a lot of free goodies included in your Haaga-Helia student status. The login page for O'Reilly Learning has our login under the link "Institution not listed?".
  • Scheier's book is famous. It's pretty dense, if this was made by a Youtube influencer, you'd get three seasons of videos from the first couple of paragraphs.
  • 'sudo apt-get update', 'sudo apt-get install hashcat hashid micro bash-completion'
  • In many tutorials, the hackers guess the type of the hash by comparing it to examples. I prefer using 'hashid -m feedd0c5', the right hash type is usually in top three, and the mode number (-m) is the same as the required -m parameter for hashcat.
  • You can use rockyou.txt or similar dictionary.
  • Some of the practical exercises can be challenging if you're new to the world of hacking. Don't worry, computers are like that. Write a detailed report (in your homework) with screenshots. Explain what approaches you took and what happened. List where you found advice or articles. Explain your ideas why it would not work. You'll get help and advise in the class. As these are the tools that actual hackers and pentesters use, they are more optimized to get the results than being the most beginner friendly.
  • Only test on practice data and practice targets. Follow the laws, never point any of these tools to production data or production systems.
  • If you're in another juristiction (not Finland), also check the local rules and laws before any pentest related practice.
  • You can email Tero to reserve your presentation topic.
  • Something to think about: we just learned that hashing is a one-way function. If this is true, why can you crack the hash and find out the original password?

h4 Pubkey

You're using public key encryption every day. If you know what you're doing, it can help you even more.

  • x) Read and summarize (with some bullet points)
  • a) Pubkey today. Explain how you have used public key cryptography today or yesterday, outside of this homework. In addition to naming the system, identify how different parties use keys in different steps of the system. (Answering this question likely requries finding sources on your own. This subtask does not require tests with a computer.)
  • b) Messaging. Send an encrypted and signed message using PGP, then verify and decrypt it. (You can use folders to simulate users, or use two computers or two different OS users. Don't use Tero as a name of any party, unless that's your given name.)
  • c) Other tool. Encrypt a message using a tool other than PGP. Explain how different parties use different keys at different stages of operation. Evaluate the security of the tool you've chosen.
  • d) Eve and Mallory. In many crypto stories, Eve is a passive eavesdropper, listening on the wire. Mallory malliciously modifies the messages. Explain how PGP protects against Mallory and Eve. Be specific what features, which use of keys and which flags in the command are related to this protection. (This subtasks does not require tests with a computer)
  • f) Password management. Demonstrate use of a password manager. What kind of attacks take advantage of people not using password managers? (You can use any password manager, some examples include pass and KeePassXC.)
  • g) Refer to sources. Verify each homework report (this and the earlier ones) refers to sources. Every homework report should refer to this task page. It should also have references to any other source used, such as web pages, LLMs, man pages, other reports... References are mandatory, and must be present in every report. (This subtask does not need a report, you can just do it and write "Done." as the answer for this subtask.)
  • h) Voluntary, challenging, requires coding: Cryptopals: Challenge Set 1:
    • 1 Convert hex to base64 (feel free to use a library for base64)
    • 2 Fixed XOR
    • 3 Single-byte XOR cipher
    • 4 Detect single-character XOR (This looks tough before you have solved 1-3)

h5 Not Byzantine

  • x) Read and summarize (with some bullet points)
  • a) Wallet. Create a BitCoin testnet wallet.
  • b) Faucet. Get worthless fake money from a testnet Bitcoin faucet.
  • c) Giveway. Move money to another Bitcoin wallet. Choose an amount where the last two digists are 42.
  • d) Explorer. Use a block explorer to analyze a block on the real Bitcoin blockchain. Explain what each value and field means. You only need to analyze the block information and one sample transaction, as a block can contain many transactions.
  • e) Voluntary: Brainiac. Demonstrate how hierarchical deterministic wallet can be regenerated from the bib39 phrase. You can rename the configuration folder to simulate a fresh start. In real life, you would keep the phare away from your computer, but for this simulation, you can copy paste it instead of memorizing.

Tips

  • sudo apt-get udpate; sudo apt-get install electrum; electrum --testnet
  • search
    • bitcoin testnet faucet
    • bitcoin explorer
  • To simulate a fresh install of electrum, 'mv -nv ~/.electrum/ ~/DIS-electrum' (command is from my memory)

h6 Iceberg

In Finland, it's legal to use TOR at the time of writing. If you reside in another juristiction, laws might be different. Obviously, it's illegal to do illegal things in TOR, just like it's illegal to do illegal things anywhere. Only do legal things.

If you reside in a jurisdiction where using TOR is illegal, you obviously can't install it and do the related tasks. If you cannot or do not want to do the hands-on darknet tasks, the alternative task is: based on literature only (no hands on tests, no installation), compare anonymous/pseudonymous networks, such as TOR, I2P, Freenet and others. How do their goals, technology and other features differ? How are they similar? Add references. Link differences and benefits to technical and architecture aspects.

  • x) Read and summarize (briefly, e.g. with some bullets)
  • a) Install TOR browser and access TOR network (.onion addresses). (Explain in detail how you installed it, and how you got access to TOR).
  • b) Browse TOR network, find, take screenshots and comment
    • search engine for onion sites
    • marketplace
    • fraud
    • forum
    • a well known organization
  • c) In your own words, how does anonymity work in TOR? (e.g. how does it use: public keys, encryption, what algorithms? This subtask does not require tests with a computer.)
  • d) What kind of the threat models could TOR fit? (This subtask does not require tests with a computer.)
  • e) Voluntary: I2P. Install and demonstrate use of I2P.
  • f) Voluntary: Hyphanet. Install and demonstrate use of Hyphanet (earlier known as Freenet).
  • g) Voluntary: GNUnet. Install and demonstrate use of GNUnet.

Tips:

  • Be cautious: don't trust anonymous sites, don't enter your name or other personal details anywhere.
  • OPSEC is hard, any single tool will not magically make you untraceable.
  • Shavers & Bair book is available for free using your HH credentials and Haaga-Helia A-Z page.

h7 Hacker Feed

  • x) Read/watch and summarize (briefly, e.g. with some bullets)
    • Hacker conf. Choose a presentation video in a hacker conference. For example, you can search Youtube for HelSec, Disobey, RSA Conference, Black Hat or have a look at InfoconDB.
  • a) Voluntary: Install and test an RSS feed reader.
  • b) Voluntary: Add feeds from Ycombinator Hacker News and Schneier.
  • c) Voluntary: Find another interesting security related feed.
  • d) Voluntary: h8 "bonus", if you want

Tips:

  • RSS readers include Thunderbird, Newsboat, Flym, Akregator...
  • Check that each of your homework report refers to this task page and all other sources you've used: course, task page, homework reports by other students, man pages...
  • Want to get invites to security presentations by visitors? Join my list.

h8 bonus

This h8 is completely voluntary. If you want to do this task, the deadline is the last class.

If you update any tasks: Keep it true! Make it clear that practical tasks are actually done with a computer, include detail and screenshots. Make it clear how events progressed. When were the updates done? What was the order of the events?

  • a) Updated: List and link tasks where you added substantial updates after cross review.
  • b) Bonus: List and link voluntary bonus tasks you've completed.