Security in Informatics and Organizations 2019/2020
This subject belong to the 3rd year of the LEI degree, following the description present at the official webpage
This edition will be lectured by professor João Paulo Barraca (email: jpbarraca@ua.pt), with the support of professor Vitor Cunha (email: vitorcunha@ua.pt). Both professors will both be available by email and Discord, especially during the allocated tutoring slots. The use of the Slack platform for direct communication is highly recommended. Official course information will be available in this page, or through the Elearning platform.
Classes will be lectured in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All content is developed in the Portuguese and English languages.
As requirements for this subject, students should be aware that this subject requires a reasonable knowledge and comprehension of several networking, software and operating system topics, such as: the Python/C/Java languages, Linux administration and Linux console usage (mostly Debian and Arch), virtual machines, sockets, HTTP and HTML, asynchronous applications, hardware architectures.
Important Dates
- Project 1 - November 16th, 23:59
- Project 2+3 - December 30th, 23:59
- Project 4 - January XX, 23:59
Theoretical Component
-
Introduction: Slides PT, Slides EN
- Recommended reading:
- Segurança em Redes Informáticas, A. Zúquete: Chap. 1
- Recommended reading:
-
Vulnerabilities: Slides PT, Slides EN
- Recommended reading:
- Segurança em Redes Informáticas, A. Zúquete: Caps. 4 & 5
- OWASP Top 10 -2017
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
- Sasha Romanosky, Examining the costs and causes of cyber incidents, Journal of Cybersecurity, Volume 2, Issue 2, December 2016, Pages 121–135, https://doi.org/10.1093/cybsec/tyw001
- Optional reading:
- Recommended reading:
-
Cryptography: Slides PT , Slides EN
- Recommended reading:
- Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Chaps. 2 & 3
- Segurança em Redes Informáticas, A. Zúquete: Cap. 2
- Symmetric-key algorithm
- Stream ciphers
- Linear feedback shift register
- Block ciphers
- Public-key cryptography
- Modular arithmetic
- RSA
- Block cipher modes of operation
- Digest function (cryptographic hash function)
- Digital signature
- DSA (Digital Signature Algorithm)
- Blind signature
- Recommended reading:
-
Management of Asymmetric Keys: Slides PT, Slides EN
- Recommended reading:
- Segurança em Redes Informáticas, A. Zúquete: Cap. 3
- NIST Special Publication 800-57: Recommendation for Key Management – Part 1: General (Revision 3)
- Public-key cryptography
- Public key certificate
- X.509
- Certification authorities
- Root certificates
- Self-signed certificates
- Public key infrastructure
- PGP (Pretty Good Privacy)
- PEM (Privacy-enhanced Electronic Mail)
- Recommended reading:
-
Authentication: Slides, Slides_EN
- Recommended reading:
- Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Sec. 4.5
- Segurança em Redes Informáticas, A. Zúquete: Secs. 5.3, 5.4.1, 8.6.3, 8.9.2, Cap. 10
- Optional reading:
- Recommended reading:
-
SmartCards - PTEID: Slides
-
Security in IEEE 802.11 WN: Slides
- Recommended reading:
- Segurança em Redes Informáticas, A. Zúquete: Cap. 9
- Optional reading:
- Recommended reading:
-
Network Filtering with Firewalls: Slides
- Recommended reading:
- Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Sec. 7.4
- Segurança em Redes Informáticas, A. Zúquete: Cap. 6
- Security Engineering second edition, Ross Anderson, Chap 21
- Optional reading:
- Recommended reading:
-
Security in Operating Systems: Slides
- Recommended reading:
- Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Chap. 4
- Optional reading:
- Sistemas Operativos, José Alves Marques, Paulo Ferreira, Carlos Ribeiro, Luís Veiga, Rodrigo Rodrigues: Cap. 8
- Operating System
- Process
- Introduction to Computer Security - Access Control and Authorization
- Access Control in Operating Systems
- Windows Access Control Model
- NTFS Security and Permissions
- Unix Access Control Lists (ACL)
- Unix permissions model
- SUID and SGID attributes
- On the Security of UNIX (by Dennis Ritchie)
- chroot
- Recommended reading:
-
Secure and Redundant Storage Slides
Practical Component
Applied Security Assignments
These assignments will focus on the content of the practical classes, assessing the analytical and programming aspects of security in information systems. Each assignment will contribute with 2.5 points to the final grade.
Students will have a total grace period of 96 hours after the deadline of the assignments. As an example, returning the first assignment at 7 AM will discount 7 hours from each student in the same team. In the following assignment, the students will only have 89 hours available.
After the grace hours are over, each hour will incur in 0.083 penalty points.
Laboratory guides
-
Vulnerabilities - SQL Injection
- Lab Contents: guide, aux slides1
- Support Documentation:
- Wikipedia: SQL Injections
- [The SQL Problem](p/1/Stuart Thomas The SQL Problem.pdf)
- SQL Injection Prevention Sheet
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command
- MySQL INFORMATION_SCHEMA tables
-
Vulnerabilities - XSS. CORS and CSF
- Lab Contents: guide, resources, aux slides
- Support Documentation:
-
Cryptography
- Lab Contents: guide, aux slides1, aux slides2
- Support Documentation:
-
Validation of X.509 Certificates
- Lab Contents: guide, aux slides
- Support Documentation:
-
Smartcards and the Portuguese eID
- Lab Contents: guide, aux slides
- Support Documentation:
-
Secure Communications with SSL
- Lab Contents: guide, PTEID Certificates
- Support Documentation:
-
Secure Communications with SSH
-
Attacks to Wireless Networks
- Lab Contents: guide
- Support Documentation:
-
Linux Firewalls
- Lab Contents: guide
- Support Documentation:
-
Privilege Escalation and Confinement
-
Secure Encrypted Storage (to be done autonomously)
- Lab Contents: guide
- Support Documentation:
Additional Content
Software
- AirCrackNG: A complete suite of tools to assess WiFi network security.
- Bettercap: The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks.
- Wireshark: The most popular packet sniffer application.
- WebGoat: A deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
- Kali Linux: A popular Penetration Testing Distribution.
- John the Ripper: A password Cracker.
- Hashcat: Advanced Password Recovery tool, especially tailored at OpenCL.
- nmap: Probably the most famous port scanner and recognaissance tool.
- Pwnagotchi: Deep Reinforcement Learning for Wifi Pwning.
Websites
- GameOfHacks: Identify common programming errors that lead to security issues.
- Let’s Encrypt: A free, automated and open Certification Authority.
- Bruce Schneier Blog: A very interesting blog dedicate to security and cryptography.
- SANS Technology Institute: Best Security Books
- Reddit NetSec and NetSecStudents
- Reddit NetSec Books Galore
- Hacking Secret Ciphers With Python
- CVE Details
Books
- Security in Computing, Fourth Edition
- Handbook of Applied Cryptography
- Security Engineering - The Book
- Understanding Cryptography
- Everyday Cryptography: Fundamental Principles and Applications
- Segurança em Redes Informáticas
Misc Resources
- Cryptonomicon
- The Cuckoos Egg
- The Hacker Playbook 2: Practical Guide To Penetration Testing
- Smashing The Stack For Fun And Profit
- The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography (Paperback)
- Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
Planning
According to the UA academic schedule classes start on October 6th, and end on January 19th. The subject is composed by a 2 hours theoretical lectures, 2 hours of practical laboratories, and 1 hour of tutoring making, a total of 5 hours per week of contact hours. It is expected the students to spend an additional 2 hours per week exploring the concepts presented during the lectures. It is also expected them to make use of the tutoring times. Theoretical classes will present key concepts related to the application of security to modern information systems, and its application to organizations. The practical classes will be focused in the exploration of these concepts, and in the exploration and analysis of popular security attacks.
The topics lectured in each class should be as presented in the next table. Changes may happen, so please check it frequently.
# | Date | Theoretical class | Practical class |
---|---|---|---|
1 | Oct 12 | Introduction | Vulnerabilities: SQL Injection |
2 | Oct 19 | Vulnerabilities | Vulnerabilities: XSS and CORS |
3 | Oct 26 | Applied Cryptography | Cryptography - Stream Ciphers |
4 | Nov 2 | Applied Cryptography | Cryptography - Block Ciphers and Digests |
5 | Nov 9 | Applied Cryptography | Cryptography - Asymmetric ciphers |
6 | Nov 16 | Management of Asymmetric Keys | Certification Chains |
7 | Nov 23 | Authentication | SmartCards and PKCS #11 |
8 | Dec 14 | Authentication | Secure communications with SSL |
9 | Dec 21 | Network Filtering with Firewalls | Firewalls with iptables |
10 | Jan 4 | Security in Operating Systems | Privilege Escalation and Environment |
11 | Jan 11 | Security in Operating Systems | Confinement |
12 | Jan 18 | Secure and Redundant Storage | Secure Encrypted Storage |
Rules
Attendance Rules
Students can choose to attend the theoretical classes, and is highly recommended they do so every week as it correlates with a good outcome. Attendance to practical classes is mandatory and faults will be recorded. Due to COVID all attendence will be recorded.
According to the University rules, students must be present at (at least) 80% of the practical classes. For this edition that results in a maximum of 2 unjustified faults. If a student exceeds the number of faults allowed, he will automatically fail the subject and won’t be allowed at any other evaluation during the current academic year.
Grading rules
Grading will be composed by two components, each contributing with 50% to the final grade.
- Theoretical Component: Relates to the contents lectured during the theoretical lectures and laboratories.
- Option 1: 1 (One) intermediate test (T1), and 1 (One) final test (T2), each contributing with 50% to the component.
- Each test will cover half of the contents lectured.
- Students may access the intermediate test without actually returning it for grading.
- Returning the intermediate test signals the choice of following Option 1.
- Option 2: 1 (One) exam (E1) that covers all contents lectured, and contributing 100% to the component.
- This option is available for students that do not return the intermediate test.
- Dates:
- Intermediate Test (T1): November 27th, including questions that address all contents until Management of Public Key (including)
- Final Test (T2): DATE TBD, addressing all contents since Authentication Protocols.
- Final Exam (E1): DATE TBD, addressing all contents lectured
- Final Theoretical Grade: (T1 + T1) or (E1)
- Minimum grade of this component: 7.0 in 20
- i.e. $ \frac{t1 + t2}{2} >= 7.0 \text{ or } e1 >= 7.0$
- Option 1: 1 (One) intermediate test (T1), and 1 (One) final test (T2), each contributing with 50% to the component.
- Practical Component:
- Development of practical projects by a group of 2 students. Exceptionally, 3 students may be allowed after explicit authorization by the professors.
- groups with more than 2 members will have a penalty of 10%, but assignments may be awarded +10% due to the addition of added innovation.
- groups with one member will not have any bonus.
- Minimum grade of this component: 7.0 in 20
- i.e. $practical >= 7.0$
- Development of practical projects by a group of 2 students. Exceptionally, 3 students may be allowed after explicit authorization by the professors.
The following table summarizes the points of each component:
Component | Item | Contribution |
---|---|---|
P | Assignment 1 | 12.5% |
P | Assignment 2+3 | 25 % |
P | Assignment 4 | 12.5% |
T | Intermediate Test- T1 (option 1) | 25% |
T | Final Test - T2 (option 1) | 25% |
T | Final Exam - E1 (option 2) | 50% |
Supplementary season
The supplementary season usually takes place in the end of January, and is available for all students that did not obtained at least 9.50 points during the normal season. The remaining students may also access this season, but the University requires an additional administrative. Grading will be composed by two components, each contributing with 50% to the final grade.
-
Theoretical Component : Optional exam (ES)
- Theoretical exam covering all contents lectured in theoretical classes or laboratories.
- Returning this exam will replace the theoretical grade obtained in the normal season, if this grade is higher than the previous one.
- Minimum grade of this component: 7.0 in 20.
-
Practical Component: Optional practical project (PS)
- Development of a practical project by one or two students.
- Minimum grade of this component: 7.0 in 20.
Special season
The special season usually takes place in September and is available to students in specific cases. Accessing this season will require an additional administrative process.
Grading will be composed by two components, each contributing with 50% to the final grade.
-
Theoretical Component : Optional exam (EE)
- Theoretical exam covering all contents lectured in theoretical classes or laboratories.
- Minimum grade of this component: 7.0 in 20.
-
Practical Component: Optional practical project (PE)
- Development of a practical project by one student.
- Minimum grade of this component: 7.0 in 20.