Security in Informatics and Organizations 2019/2020

This subject belong to the 3rd year of the LEI degree, following the description present at the official webpage

This edition will be lectured by professor João Paulo Barraca (email: jpbarraca@ua.pt), with the support of professor Vitor Cunha (email: vitorcunha@ua.pt). Both professors will both be available by email and Discord, especially during the allocated tutoring slots. The use of the Slack platform for direct communication is highly recommended. Official course information will be available in this page, or through the Elearning platform.

Classes will be lectured in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All content is developed in the Portuguese and English languages.

As requirements for this subject, students should be aware that this subject requires a reasonable knowledge and comprehension of several networking, software and operating system topics, such as: the Python/C/Java languages, Linux administration and Linux console usage (mostly Debian and Arch), virtual machines, sockets, HTTP and HTML, asynchronous applications, hardware architectures.

Important Dates

• Project 1 - November 16th, 23:59
• Project 2+3 - December 30th, 23:59
• Project 4 - January XX, 23:59

Theoretical Component

1. Introduction: Slides PT, Slides EN

   • Recommended reading:
     • Segurança em Redes Informáticas, A. Zúquete: Chap. 1
   • Google Data Center Security: 6 Layers Deep
     • An Introduction to Computer Security: The NIST Handbook
     • The Big Ol’ Ubuntu Security Resource
     • Information security
     • Enterprise Information Security Architecture (EISA)
   • A Guide to Build Dependable Distributed Systems, Chap. 1

2. Vulnerabilities: Slides PT, Slides EN

   • Recommended reading:
     • Segurança em Redes Informáticas, A. Zúquete: Caps. 4 & 5
     • OWASP Top 10 -2017
     • Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
     • Sasha Romanosky, Examining the costs and causes of cyber incidents, Journal of Cybersecurity, Volume 2, Issue 2, December 2016, Pages 121–135, https://doi.org/10.1093/cybsec/tyw001
   • Optional reading:
     • OWASP: Open Web Application Security Project
     • Wikipedia: Zero-day vulnerability
     • CVE (Common Vulnerabilities and Exposures) @ Wiki
     • CVE @ MITRE
     • CWE (Common Weakness Enumeration)
     • CERT.PT
     • Rede Nacional de CSIRTs
     • CSIRT (Computer Security Incident Response Team)
     • CSIRT.org
     • CSIRT FAQ
     • CSIRT @ UA

3. Cryptography: Slides PT , Slides EN

   • Recommended reading:
     • Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Chaps. 2 & 3
     • Segurança em Redes Informáticas, A. Zúquete: Cap. 2
     • Symmetric-key algorithm
     • Stream ciphers
     • Linear feedback shift register
     • Block ciphers
     • Public-key cryptography
     • Modular arithmetic
     • RSA
     • Block cipher modes of operation
     • Digest function (cryptographic hash function)
     • Digital signature
     • DSA (Digital Signature Algorithm)
     • Blind signature

4. Management of Asymmetric Keys: Slides PT, Slides EN

   • Recommended reading:
     • Segurança em Redes Informáticas, A. Zúquete: Cap. 3
     • NIST Special Publication 800-57: Recommendation for Key Management – Part 1: General (Revision 3)
     • Public-key cryptography
     • Public key certificate
     • X.509
     • Certification authorities
     • Root certificates
     • Self-signed certificates
     • Public key infrastructure
     • PGP (Pretty Good Privacy)
     • PEM (Privacy-enhanced Electronic Mail)

5. Authentication: Slides, Slides_EN

   • Recommended reading:
     • Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Sec. 4.5
     • Segurança em Redes Informáticas, A. Zúquete: Secs. 5.3, 5.4.1, 8.6.3, 8.9.2, Cap. 10
   • Optional reading:
     • Authentication
     • Biometric authentication
     • Dictionary attacks
     • RSA SecurID
     • YubiKey
     • S/Key
     • Hash chain
     • SSH
     • TLS

6. SmartCards - PTEID: Slides

   • Optional reading:
     • Declaração de Práticas de Certificação da EC do Cidadão
     • PKI Cartão de Cidadão
     • Manuais do Cartão de Cidadão
     • Software do Cartão de Cidadão

7. Security in IEEE 802.11 WN: Slides

   • Recommended reading:
     • Segurança em Redes Informáticas, A. Zúquete: Cap. 9
   • Optional reading:
     • Wired Equivalent Privacy
     • IEEE 802.11i-2004
     • IEEE 802.1X
     • WEP Attack
     • Breaking 104 bit WEP in less than 60 seconds
     • Bettercap and PMKIDs
     • Pwnagotchi: Deep Reinforcement Learning for Wifi Pwning!

8. Network Filtering with Firewalls: Slides

   • Recommended reading:
     • Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Sec. 7.4
     • Segurança em Redes Informáticas, A. Zúquete: Cap. 6
     • Security Engineering second edition, Ross Anderson, Chap 21
   • Optional reading:
     • IPTables
     • Smoothwall Firewall
     • Fail2ban

9. Security in Operating Systems: Slides

   • Recommended reading:
     • Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Chap. 4
   • Optional reading:
     • Sistemas Operativos, José Alves Marques, Paulo Ferreira, Carlos Ribeiro, Luís Veiga, Rodrigo Rodrigues: Cap. 8
     • Operating System
     • Process
     • Introduction to Computer Security - Access Control and Authorization
     • Access Control in Operating Systems
     • Windows Access Control Model
     • NTFS Security and Permissions
     • Unix Access Control Lists (ACL)
     • Unix permissions model
     • SUID and SGID attributes
     • On the Security of UNIX (by Dennis Ritchie)
     • chroot

10. Secure and Redundant Storage Slides

    • Recommended reading:
      • RAID
      • Enterprise Class versus Desktop Class Hard Drives, Intel
      • Failure Trends in a Large Disk Drive Population, Google
      • BitLocker
      • Self Encrypting Disks
      • Encfs

Practical Component

Applied Security Assignments

These assignments will focus on the content of the practical classes, assessing the analytical and programming aspects of security in information systems. Each assignment will contribute with 2.5 points to the final grade.

Students will have a total grace period of 96 hours after the deadline of the assignments. As an example, returning the first assignment at 7 AM will discount 7 hours from each student in the same team. In the following assignment, the students will only have 89 hours available.

After the grace hours are over, each hour will incur in 0.083 penalty points.

Laboratory guides

1. Vulnerabilities - SQL Injection

   • Lab Contents: guide, aux slides1
   • Support Documentation:
     • Wikipedia: SQL Injections
     • [The SQL Problem](p/1/Stuart Thomas The SQL Problem.pdf)
     • SQL Injection Prevention Sheet
     • CWE-89: Improper Neutralization of Special Elements used in an SQL Command
     • MySQL INFORMATION_SCHEMA tables

2. Vulnerabilities - XSS. CORS and CSF

   • Lab Contents: guide, resources, aux slides
   • Support Documentation:
     • CWE-79: Improper Neutralization of Input During Web Page Generation
     • Content Security Policy
     • Cross Origin Request Sharing

3. Cryptography

   • Lab Contents: guide, aux slides1, aux slides2
   • Support Documentation:
     • RSA, RFC 3447
     • SHA-2
     • Blake2
     • PKCS#5, RFC 2898
     • Python Cryptography
     • Cipher Security Summary
     • Python Base 64
     • Python getpass

4. Validation of X.509 Certificates

   • Lab Contents: guide, aux slides
   • Support Documentation:
     • RFC 4158: Internet X.509 Public Key Infrastructure: Certification Path Building
     • X.509v3
     • Python Cryptography X.509
     • XCA

5. Smartcards and the Portuguese eID

   • Lab Contents: guide, aux slides
   • Support Documentation:
     • Cartão de Cidadão
     • PKCS #11 v2.20
     • PyKCS11
     • X.509v3
     • Python Cryptography X.509

6. Secure Communications with SSL

   • Lab Contents: guide, PTEID Certificates
   • Support Documentation:
     • CA Authentication Certificates
     • CA Citizen Card Certificates (Test)
     • CA Citizen Card Certificates
     • PKI Cartao de Cidadao
     • CA State
     • NGINX SSL
     • NGINX PHP
     • XCA

7. Secure Communications with SSH

   • Lab Contents: guide
   • Support Documentation:
     • OpenSSH
     • OTPW

8. Attacks to Wireless Networks

   • Lab Contents: guide
   • Support Documentation:
     • Eric Tews, Practical attacks on WEP, Diploma Thesis, 2007
     • Support Diccionaries

9. Linux Firewalls

   • Lab Contents: guide
   • Support Documentation:
     • iptables
     • fail2ban
     • fail2ban SSH in Ubuntu
     • iptables masquerade
     • Smoothwall Express

10. Privilege Escalation and Confinement

    • Lab Contents: guide, server.c
    • Support Documentation:
      • Set-UID mechanism
      • Linux ACLs
      • Linux Chroot
      • Linux Apparmor

11. Secure Encrypted Storage (to be done autonomously)

    • Lab Contents: guide
    • Support Documentation:
      • EncFS
      • Linux Unified Key Setup

Additional Content

Software

• AirCrackNG: A complete suite of tools to assess WiFi network security.
• Bettercap: The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks.
• Wireshark: The most popular packet sniffer application.
• WebGoat: A deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
• Kali Linux: A popular Penetration Testing Distribution.
• John the Ripper: A password Cracker.
• Hashcat: Advanced Password Recovery tool, especially tailored at OpenCL.
• nmap: Probably the most famous port scanner and recognaissance tool.
• Pwnagotchi: Deep Reinforcement Learning for Wifi Pwning.

Websites

• GameOfHacks: Identify common programming errors that lead to security issues.
• Let’s Encrypt: A free, automated and open Certification Authority.
• Bruce Schneier Blog: A very interesting blog dedicate to security and cryptography.
• SANS Technology Institute: Best Security Books
• Reddit NetSec and NetSecStudents
• Reddit NetSec Books Galore
• Hacking Secret Ciphers With Python
• CVE Details

Books

• Security in Computing, Fourth Edition
• Handbook of Applied Cryptography
• Security Engineering - The Book
• Understanding Cryptography
• Everyday Cryptography: Fundamental Principles and Applications
• Segurança em Redes Informáticas

Misc Resources

• Cryptonomicon
• The Cuckoos Egg
• The Hacker Playbook 2: Practical Guide To Penetration Testing
• Smashing The Stack For Fun And Profit
• The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography (Paperback)
• Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

Planning

According to the UA academic schedule classes start on October 6th, and end on January 19th. The subject is composed by a 2 hours theoretical lectures, 2 hours of practical laboratories, and 1 hour of tutoring making, a total of 5 hours per week of contact hours. It is expected the students to spend an additional 2 hours per week exploring the concepts presented during the lectures. It is also expected them to make use of the tutoring times. Theoretical classes will present key concepts related to the application of security to modern information systems, and its application to organizations. The practical classes will be focused in the exploration of these concepts, and in the exploration and analysis of popular security attacks.

The topics lectured in each class should be as presented in the next table. Changes may happen, so please check it frequently.

Rules

Attendance Rules

Students can choose to attend the theoretical classes, and is highly recommended they do so every week as it correlates with a good outcome. Attendance to practical classes is mandatory and faults will be recorded. Due to COVID all attendence will be recorded.

According to the University rules, students must be present at (at least) 80% of the practical classes. For this edition that results in a maximum of 2 unjustified faults. If a student exceeds the number of faults allowed, he will automatically fail the subject and won’t be allowed at any other evaluation during the current academic year.

Grading rules

Grading will be composed by two components, each contributing with 50% to the final grade.

1. Theoretical Component: Relates to the contents lectured during the theoretical lectures and laboratories.
   • Option 1: 1 (One) intermediate test (T1), and 1 (One) final test (T2), each contributing with 50% to the component.
     • Each test will cover half of the contents lectured.
     • Students may access the intermediate test without actually returning it for grading.
     • Returning the intermediate test signals the choice of following Option 1.
   • Option 2: 1 (One) exam (E1) that covers all contents lectured, and contributing 100% to the component.
     • This option is available for students that do not return the intermediate test.
   • Dates:
     • Intermediate Test (T1): November 27th, including questions that address all contents until Management of Public Key (including)
     • Final Test (T2): DATE TBD, addressing all contents since Authentication Protocols.
     • Final Exam (E1): DATE TBD, addressing all contents lectured
   • Final Theoretical Grade: (T1 + T1) or (E1)
   • Minimum grade of this component: 7.0 in 20
     • i.e. $ \frac{t1 + t2}{2} >= 7.0 \text{ or } e1 >= 7.0$
2. Practical Component:
   • Development of practical projects by a group of 2 students. Exceptionally, 3 students may be allowed after explicit authorization by the professors.
     • groups with more than 2 members will have a penalty of 10%, but assignments may be awarded +10% due to the addition of added innovation.
     • groups with one member will not have any bonus.
   • Minimum grade of this component: 7.0 in 20
     • i.e. $practical >= 7.0$

The following table summarizes the points of each component:

Supplementary season

The supplementary season usually takes place in the end of January, and is available for all students that did not obtained at least 9.50 points during the normal season. The remaining students may also access this season, but the University requires an additional administrative. Grading will be composed by two components, each contributing with 50% to the final grade.

1. Theoretical Component : Optional exam (ES)

   • Theoretical exam covering all contents lectured in theoretical classes or laboratories.
   • Returning this exam will replace the theoretical grade obtained in the normal season, if this grade is higher than the previous one.
   • Minimum grade of this component: 7.0 in 20.

2. Practical Component: Optional practical project (PS)

   • Development of a practical project by one or two students.
   • Minimum grade of this component: 7.0 in 20.

Special season

The special season usually takes place in September and is available to students in specific cases. Accessing this season will require an additional administrative process.

Grading will be composed by two components, each contributing with 50% to the final grade.

1. Theoretical Component : Optional exam (EE)

   • Theoretical exam covering all contents lectured in theoretical classes or laboratories.
   • Minimum grade of this component: 7.0 in 20.

2. Practical Component: Optional practical project (PE)

   • Development of a practical project by one student.
   • Minimum grade of this component: 7.0 in 20.