Trust to Blockchain 2024
ICT Security Basics - from Trust to Blockchain - ICT4HM103- 2024 Late Autumn
Learn security fundamentals to understand current trends. Blockchains, TOR network and video conference encryption all stand on these fundamentals.
Excellent 4.9 out of 5 feedback.
Course name and code | ICT Security Basics - from Trust to Blockchain - ICT4HM103-3006 Study guide |
Timing | 2024 period 2 late autumn, w43-w50 |
Credits | 5 cr (masters level) |
Classes | Thu 17:40 - 20:30, online, mandatory participation |
Max students | 30 |
Language | English |
Remote | Yes, fully remote |
Feedback | 4.9 / 5 * Excellent feedback |
Services | Moodle: Trust to Blockchain, Jitsi, Laksu. Voluntary extra: Tero's list. |
First class | 2024-10-24 w43 Thu 17:40, Jitsi video conference link is in Moodle |
* Best feedback average for course was 4.9/5 excellent, lowest was 4.3/5 very good.
Learning goals
In this course, you will
- Learn fundamentals of computer security
- See them in hands on exercises
In detail, you'll
- Have an idea of computer security fundamentals (confidentiality, ...)
- Can put infosec tools in perspective, and have tested some of these tools
- Adversarial view - Can take attacker view (at least on a hypothetical level)
- Can relate information security to real life impacts
- Has had a look on some concurrent security tools and techniques
This course gives you grand overview of security principles and practice with tools implementing these principles. Even though you're expected to be able to install and configure programs and troubleshoot some errors, this is not my most technical course. If you want a demanding, hands on ethical hacking course, pick Tunkeutumistaus (Penetration Testing), Sovellusten hakkerointi ja haavoittuvuudet (Application hacking) or Verkkoon tunkeutuminen ja tiedustelu (Network Attacks and Reconnaissance) in addition to this.
Photo shows Mika Hirvelä's cryptomining rig, photo by Hirvelä.
Agenda
I will keep updating the subjects, but you can write dates to your calendar right away.
Every class is on Thursday evening, 17:40 - 20:30. It's video conference trough Jitsi, mandatory participation.
You can keep your presentation any suitable day, even on week two. Earlier is better. Email Tero to reserve a slot.
Date | Subject |
---|---|
2024-10-24 w43 Thu | 1. Welcome words. Overview of the course. |
2024-10-31 w44 Thu | 2. Fundamentals. Threat model. (We can have first presentation here) |
2024-11-07 w45 Thu | 3. Treath modeling, fundamentals. |
2024-11-14 w46 Thu | 4. Hashes, passwords and cracking them. Public key intro. |
2024-11-21 w47 Thu | 5. Helsec event (physically or through stream) |
2024-11-28 w48 Thu | 6. Public key encryption and signing. Bitcoin. |
2024-12-05 w49 Thu | 7. Modern applications. |
2024-12-12 w50 Thu | 8. Recap. Last presentations. |
* Live stream is online and fits everyone. If you got a ticket, you can also participate in Crowne Plaza.
Last time we had a couple of presentations every class, starting from second week. It worked great, I hope you reserve your slots early. You can present in any class, the earlier the better.
Evaluation
Homeworks 60% and presentations 40%. Evaluation is based on totality of the skills and knowledge demonstrated.
Online classes require active participation. No tapes are provided.
Literature and links
(Haaga-Helia users should have free access to O'Reilly Learning aka Safari Online trough our library, even when they are marked with € below)
r1 Overview, concepts and fundamentals
- OWASP 10 pdf, p 21-22: Note About Risks; Details About Risk Factors.
- Schneier 1999: Modeling security threats (Attack trees)
- Darknet Diaries . (You can find interesting security incidents here. It's hours and hours of material, so just have a look. To listen to podcasts on Android, you can use AntennaPod from F-Droid)
- Krebs on Security (It's a whole blog, so just have a look. You can find security incident writeups here)
- MITRE ATT&CK (Tactics, techniques and procedures. It's big, it's enough to just have a look. )
- Hutchins et al 2011: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (cyber kill chain)
r2 Blockchain to Cryptocurrency
Nakamoto, Satoshi 2008: Bitcoin: A Peer-to-Peer Electronic Cash System. (A colored HTML version. This is the paper that defined and introduced BitCoin. You can skip "11. Calculations" if you don't like sigma symbols. URL and email address on top of the paper seem unbeliveable and added by third party.
Felten et al 2015: Bitcoin and Cryptocurrency Technologies, videos Week 1 (about 1 hour). Requires free registration. If you find it easy to follow, you can also optionally look at week 2 (1,5 h).
r3 Offensive Views
- Karvinen 2020: Remote Learning Tools for Tero's Courses: Install Virtual Xubuntu Linux
- Karvinen 2019: Install WebGoat PenTest Learning Tool on Ubuntu – with Docker (Make sure your address starts with "localhost" when you practice.
- Disobey 2020 Videos were just published. There are hours of videos, just have a look. Antti Virtanen: "I'm in your office" is an easy start.
- MitmProxy on Kali and Xubuntu – attack and testing
r4 CIA Triad and Encryption
- Schneier 2015: Applied Cryptography Chapter 1: Foundations €
- Curtin 1998: Snake Oil Warning Signs: Encryption Software to Avoid
r5 Applications: Pseudonymity
- Shavers & Bair 2016: Hiding Behind the Keyboard: The Tor Browser €
r6 BitCoin and Crypto Currencies
- Määttä et al 2020: Virtuaalivaluuttojen verotus VH/5083/00.01.00/2019. Previous version is available in English. Latest English version was not available in at the time of writing. This is a long document, only read the parts relevant to you.
Homework
Homework is due 24 hours before next class starts. Return a link to Laksu and evaluate two.
Link to Laksu is in Moodle.
Homeworks are done with a computer and reported at the same time. If some task does not require performing tests with a computer, it's specied writing in the subtask.
Each homework is returned
- 24 h before start of next lecture
- you can publish your homework report in any website you like
- return a link to Laksu
- cross-evaluate two other homeworks
To save everyone's time, I will remove those from the course who don't return homework.
Github is a convenient place to publish your reports, others are Gitlab and Wordpress.com. I highly recommend publishing your work. But if you don't dare or want to publish, you can put your web page behind a password (e.g. in Wordpress.com, same password for all reports), and share this password with your group. Or use a pseudonym or an alias.
All sources must be refered to: this task page, classes, reports from your classmates, classmate presentations, man pages, the article you found...
Returned link must open the report directly. For example, return link to your "h1-helsec.md", not the front page of your website. Web page must directly open in web browser, so it must be HTML. (Github will automatically convert your Markdown to HTML). Other formats are not accepted (no docx, no pdf, no odx, no xlsx...).
AI and large language models (LLM): You can ask AI or LLM a question and use the answer as facts for your own answer, written in your own words. AI must be marked as a reference, with details such as prompt (and for advanced users system prompts, temperature, jailbreaks...). LLMs tend to hallucinate, so you should check answers from more reliable sources. It's not allowed to generate text with AI or similar technologies. For example, it's not allowed to generate essay answers or summaries with AI, LLM or similar technologies.
The homeworks are official after they are given in the class. Don't start them before, because they might change. I will of course give homeworks based on what we actually talked about.