Information Security
Course ICI002AS2AE-3004 - Early Spring 2025

Understand adversarial view on security. Recognize key concepts of security. Be able to safely practice hands-on with security tools.

Face-to-face in a real life classroom. In English.

Course name and code:Information Security ICI002AS2AE-3004
Timing2025 period 3, early spring, w03-w11, not w08
Credits5 cr
ClassesTuesdays 11:00 - 13:45, in Pasila pa5001, bring your laptop
Max students30
LanguageEnglish
TypeContact, in physical classroom, mandatory participation [as requested]
Feedback4.8 / 5 Excellent feedback Five star experience *
ServicesMoodle, Laksu. Optionally Tero's list.
First class2025-01-14 w03 Tuesday 11:00, Pasila pa5001, physically present with your laptop

* I'm giving other security courses, too. Penetration testing (challenging course in Finnish) has reached excellent 5.0 /5, with every participant giving feedback and each feedback being 5. And Master level (YAMK) Trust to Blockchain has reached excellent 4.9 /5.

Goals

After completing this course, you will

  • Understand adversarial view on security
  • Recognize key concepts of security
  • Be able to safely practice hands-on with security tools

Hands-on exercises will emphasize environments fully controlled by you, using free open source software in your possession.

Agenda

Tuesdays from 11:00 - 13:45 in Pasila pa5001. Bring your laptop!

DateTheme
2025-01-14 w03 Tue1. Organizing. Threath modeling.
2025-01-21 w04 Tue2. Cyber kill chain. Kristian: USB loading stations. First presentations, reserve by email.
2025-01-28 w05 Tue3. Practice environments.
2025-02-04 w06 Tue4. Web security. OWASP 10.
2025-02-11 w07 Tue5. Encryption. Asymmetric vs symmetric. GPG. SSH. Jonas: Music leaks.
(w08 is winter holiday)(No classes, no homework deadlines on winter holiday)
2025-02-25 w09 Tue6. Passwords. Hashes introduction. Cracking hashes and passwords.
2025-03-04 w10 Tue7. Darknet, TOR. Sean: Privileged Access Management. Efe.
2025-03-11 w11 Tue8. Recap. Last presentations.

Eight security Mondays in Pasila. All classes require active participation. I have changed this course to contact (physically in the class) as requested in the feedback.

There will likely be updates to the contents of the classes as the course advances.

You can reserve a spot for your presentation as soon as on the second class.

Assessment

  • Active participation in classes
  • Homework and cross evaluation (66%)
  • Presentation (33%)

Evaluation of the course is based on totality of the work presented.

Previous courses

Homework

Homeworks are done with a computer and reported at the same time. If some task does not require performing tests with a computer, it's specied writing.

Each homework is returned

  • 24 h before start of next lecture
  • you can publish your homework report in any website you like
  • return a link to Laksu
  • cross-evaluate two other homeworks

To save everyone's time, I will remove those from the course who don't return homework, or who don't cross evaluate class mates work.

Github is a convenient place to publish your reports, others are Gitlab and Wordpress.com. I highly recommend publishing your work, it seems to help getting (better) job offers. But if you don't dare or want to publish, you can put your web page behind a password (e.g. in Wordpress.com, same password for all reports), and share this password with your group.

AI and large language models (LLM): You can ask AI or LLM a question and use the answer as facts for your own answer, written in your own words. AI must be marked as a reference, with details such as prompt (and for advanced users system prompts, temperature, jailbreaks...). LLMs tend to hallucinate, so you should check answers from more reliable sources. It's not allowed to generate text with AI or similar technologies. For example, it's not allowed to generate essay answers or summaries with AI, LLM or similar technologies.

The homeworks are official after they are given in the class. Don't start them before, because they might change.

h0 Hello, web!

a) Publish a web page. Show that you can make headings (h1 #, h2 ##...), paragraphs (p, empty line), links (a http://example.com) and code style (code or pre, four spaces at start of line). Markdown recommended.

Tips

Karvinen 2023: Create a Web Page Using Github

h1 Should Tero wear a helmet?

  • x) Read / watch / listen and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like. Add some question or idea of your own.)
  • a) Security hygiene. What basic security practices should everyone follow? Are there some security hygiene practicies that every company or average Joe should follow? (This subtask does not require tests with a computer. A bullet list is enough)
  • b) Make-belief boogie-man - a threat model for imaginary company.
    • This subtask does not require tests with a computer.
    • Create an imaginary company and create threat model.
    • Business requirements come from business, technical specialist help with tech. Inlude this in your narrative.
    • Your analysis should cover all parts of the four question model (four key questions in Threat modeling manifesto)
      • (1) What are we working on?
        • Our assets
          • Priorization, key assets
          • E.g. customer health data is a crown jevel, personel gaming server is probably not
        • Security supports business
        • Draw a diagram of the company systems
        • Customer is the king
          • What do we have to do the serve the customer (to keep getting paid)
          • How does customer see our systems? Touchpoints?
        • Write a description.
      • (2) What can go wrong?
        • Apply one or more named models: Attack trees, STRIDE, CIA, ATT&CK...
          • Give some examples of identified risks - you don't need to find all risks or likely vulnerabilites, as there would be too many for this homework.
        • Priorize biggest risks
          • High expected value (or other very high risk)
          • Expected value = probability * monetary value
          • Expected value is a tool for discussion, it's not exact science as we have to guestimate the input numbers
        • Are you targetted by specific threat actors? Are there actors that target your geographical or political area or industry?
          • Known TTPs? (tactics, techniques, procedures)
          • COI - Capability, Opportunity, Intent
        • Business continuity
          • We have to keep serving the customer to receive money.
          • Stakeholders (customer, employees...) trust us. Trust is hard to get and easy to lose.
      • (3) What are we going to do about it?
        • Can you: reduce attack surface, limit entry points...
        • META: Mitigage, Eliminate, Transfer, Accept.
      • (4) Did we do a good enough job?
        • Security audits, pentests, assesments, continous threat modeling and evaluation
        • Process, not a one time job. It never ends.

Tips:

  • Reading is for you.
    • Read the articles.
      • You learn the subject matter required to
        • complete the tasks
        • understand how the tasks are related to the field of infosec
      • You learn the channels to follow the scene after the course
    • Don't generate content with AI. Not understanding the arcticle will make it harder and harder to succeed in the future. Generating a lot of useless AI spam for classmates to read is disrespectful of their time.
    • You can answer with just a few bullets.
  • Refer to sources
    • Any book, page, video, man-page, report you use for home work task should be listed as a source.
    • This task page is of course one source for the report: Karvinen 2024: Information Security Course, https://terokarvinen.com/information-security/
  • Work on your own level
    • If you have background in security and IT, feel free to challenge yourself.
    • If you're just starting, just fumble around - bravely try the models. We will not implement your plan, nothing will happen in real life even if your threat model is not perfect.
  • Security hygiene
    • No brainer: Wouldn't it be great if you could just recommend some practices - even before conducting laboursome threat modeling?
  • Threat modeling
    • Think about the moment when you're using this in real life. You sit down on a table. You identify risks and choose how to use your limited resources. You colleagues will trust you can keep company systems safe and running.
  • Darknet Diaries
    • AntennaPod is convenient Android program for listening podcasts. It's available in F-Droid and Google Play. Of course, there are hundreds if not thousands other programs for podcasts, too.
    • Pick any episode. Check descriptions, and pick one that's likely to be suitable here. It's recommended to pick other than the latest or the one on top of the homepage, so we can look at different episodes.
  • When cross evaluating
    • Give comments
    • Use the whole scale (5 is every non-voluntary task solved and reported clearly)

h2 Kill Chain

We'll start zooming in from threat modeling ("what & why") to cyber kill chain ("how").

Tips

  • In "Read and summarize":
    • read first, then summarize
    • summarize key content
      • not just headings
      • don't just describe the article, tell the main things it says
    • add a question, an idea or a comment of your own to each article
  • Refer & link any sources you use
    • Course / the classes
    • Homework task page
    • Homework reports by other students
    • Any web pages
    • Manuals, Articles, Man pages...
    • Referencing your sources is required

h3 Hello Lab

This week, you start building your own hacking lab. You learn hacking by hacking.

  • x) Read/watch/listen and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like. Add a bullet for your own idea or question.)
  • a) Can't fish. Disable networking and show that packets don't go trough. For example, use 'ping 1.1.1.1' (Cloudfare DNS server) or 'ping 8.8.8.8' (Google DNS server). Do this task on your Linux.
  • b) Local only. Portscan your own computer using "localhost" address. It's illegal to portscan computers you don't own. Disconnect computer from the Internet while testing. Analyze your results. Do this task on your Linux.
  • c) Daemon scan. Install a daemon (a server application) and port scan again. For example, you could install Apache web server or OpenSSH secure remote shell. Analyze the differences to scan without the daemon. Do this task on your Linux.
  • d) Bandit oh-five. Solve Over The Wire: Bandit the first five levels (0-4). (Alternative task: you can instead do and report five harder levels if your Linux background makes this an easy task).
  • e) Voluntary bonus task: Underthewire: Century, a couple of levels. I have not tried this one myself, so also interested to hear your views. Inspired by OverTheWire, but for Windows Powershell.

Tips

h4 Johnny Tables

Remember to keep it safe, legal and ethical. Especially if you grasp OWASP 10, you still can't try these to machines you don't own.

You're only allowed to start these tasks after accepting course rules in Moodle.

Tips:

  • If you get stuck
  • F12 Developer tools: I'm using Firefox F12. But it probably works on Chromium, too.
  • You can update all software in Linux with
    • Open terminal
    • 'sudo apt-get update'
    • 'sudo apt-get dist-upgrade'
    • If this is your first full upgrade, reboot (it's only needed for kernel upgrades)
  • SQLZoo
    • If you've got a lot of experience with databases already and SQLZoo is too easy, you can instead install a relational database (Postgre, Mariadb...) and show CRUD (create, read, update, delete) operations using command line client and SQL.
    • Yes, I think they really run your queries on database management system
    • In SQL, you can often write long numbers in engineering notation, nine zeroes after two as 2e9 instead of 2000000000
  • Johnny tables
    • You only need your browser (even though the official example solution uses a paid tool by the makers of the lab)
    • Try different places. But if you're completely out of options: peek the solution, apply it to use just browser (no mitm proxy needed), mention in your report the hints used - and try to explain how the solution works.
  • WebGoat
    • What kind of quotes did SQL have?
    • If you raise everyone's salaries, are you the richest anymore?
    • The names here are the same as in OWASP 10 2021 and OWASP 10 2017.
    • In injections, it's nice to know:
      • SQL string delimiter (single quote, aphostrophe) "'" (end of user input, start of my hostile injection)
      • SQL comment (double dash) "--" (end of my evil injection, you can ignore the rest, dear database management system)
      • There are many ways to do SQL injection
  • b) Injected. Solve WebGoat:
    • A1 Injection (intro)

h5 Uryyb, Greb!

Public keys. You use them every day. Would you like to know more?

Also starring: my favourite crypto textbook. PGP and SSH, my favourite encryption tools / standards.

And for your winter holiday, there are some relaxing voluntary tasks.

  • x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
  • a) Install OpenSSH server, connect to it using 'ssh' client.
  • b) Automate SSH connection using public keys.
  • c) Pretty Good indeed. Encrypt and decrypt a message with 'gnupg', using PGP public key cryptography. (Note that here you learn each step; for end users, you can often automate and make it look simple)
  • d) Password manager, open and cloudless. Choose a password manager that 1) works without cloud 2) is free, open source sofware. Install it. Demonstrate its use. Explain why a password manager is needed i.e. what kind of attacks or threats it protects against.
  • m) Voluntary bonus: Encrypt and decrypt messages using a tool other than 'gnupg'. Explain each step. Why did you choose the tool you used here? Evaluate the tool.
  • n) Voluntary bonus: send and receive encrypted message over email.
  • o) Voluntary bonus: Find out frequency distribution of letters for a language that you know (other than English). What are the six most common letters? (This subtask y does not require tests with a computer if the question can be answered without them)
  • r) Voluntary bonus: TLS. Choose a transport layer security (TLS) certificate used for the web. Explain key fields. How do you / browser know it's legit? Who says so?
  • s) Voluntary bonus: ETAOIN. Crack this ciphertext:
    • HDMH'B TH. KWU'YI AWR WSSTOTMJJK M OWQINYIMLIY! MB KWU BII, BTGPJI BUNBHTHUHTWA OTPDIYB OMA NI NYWLIA RTHD SYIEUIAOK MAMJKBTB. BII KWU MH DHHP://HIYWLMYCTAIA.OWG
  • t) Voluntary bonus, easy: try rot13, the military grade top-secret encryption of the top-2 empire of year zero. Could double rot13 provide extra security? Why?
  • u) Voluntary difficult multiweek bonus, requries coding skills: Cryptopals (recommended, if you have what it takes).

Tips:

  • Gnupg is explained in the article.
  • I do hope you're using a password manager. If not, this is a good day to start.
  • Frequency distributions for most languages can be found in search engines and probably Wikipedia
  • ETAOIN
    • This challenge can be solved with pen and paper, no coder skills required. (Like most things, it's faster with a computer, though.)
    • Just like this course, the cleartext is in English
    • Looking at word lengths and spaces, this ciphertext is likely using a simple substitution cipher.
    • Use your eyes - can you identify possible common words or parts of them?
    • After ruling out Caesar (e.g. rot13), we can use frequency analysis
    • Most common letter in English is E, the second most common is T... The frequency table is ETAOIN shrdlu.
      • Frequency is about statistics and probability. It's not guaranteed that E is the most common, it's just likely. Especially short texts make statistical analysis less efficient.
      • It's much more likely that most common letters are from ETAOIN than the from the least frequent j, x or z.
    • Use your sisu
      • If first guess does not crack it, try another one.
      • Make notes as you work.
      • Document your approaches and how far you can get, even if you couldn't crack the whole thing.
  • O'Reilly Learning € (former Safari) is a bit pricey, but Haaga-Helia students get free access trough Haaga-Helia library A-Z page.
  • SSH is the leading tool to control servers
    • 'sudo apt-get update' 'sudo apt-get install ssh', 'sudo systemctl start ssh', 'whoami', 'ssh tero@localhost', 'exit'
    • Public key authentication 'ssh-keygen', 'ssh-copy-id tero@localhost'

Deadline for this task is after winter holiday, 2025-02-24 w09 Mon 11:00. But as they say, early bird gets the worm.

Adminstrivia

I will keep updating this page during and after the course.