Security of Information and Organizations 2022/2023

Important Items

T1: November 25th, 16.30
T2 and E1: January 18th, 10h
ES and PS: February 2nd, 10h
EE and PE: September 5th, 10h
Project 1 - November 16th, 23:59
Project 2 - January 6th, 23:59
Project Special Season - September 5th, 23:59

Most laboratory guides will require a specific Virtual Machine available here. The file is compressed. The username and password are user. It runs best in VirtualBox added as a disk.

Planning

According to the UA academic schedule, classes will be lectured from September 19th, until January 6th. The subject is composed by a 2 hours of theoretical lectures, 2 hours of practical laboratories, and 1 hour of tutoring hours (optional).

Theoretical classes will present key concepts related to the application of security to modern information systems, and organizations. The practical classes will be focused in the exploration of security mechanisms, and in the exploration and analysis of common security attacks.

The topics lectured in each class should be as follows. Changes may happen, so please check it frequently.

Week	Theoretical	Practical
Sep 19 - Sep 23	T1: No classes T2: Introduction to Security	P1-P2,P5-P9: No classes P3-P4: SQL Injection
Sep 26 - Sep 30	T1: Introduction to Security T2: Vulnerabilities	P1-P2,P5-P9: SQL Injection P3,P4: XSS and CORS
Oct 3 - Oct 7	T1: Vulnerabilities T2: Applied Cryptography)	P1-P9: XSS and CORS P3-P4: Symmetric Cryptography
Oct 10 - Oct 14	T1: Applied Cryptography T2: Applied Cryptography	P1-P2,P5-P9: Symmetric Cryptography P3-P4: Symmetric Cryptography
Oct 17 - Oct 21	T1,T2: Applied Cryptography	P1-P2,P5-P9: Symmetric Cryptography P3-P4: Asymmetric Cryptography
Oct 24 - Oct 28	T1: Applied Cryptography, T2:Management of Asymmetric Keys	P1-P2,P5-P9: Asymmetric Cryptography P3-P4: Hash Functions
Oct 31 - Nov 4	T1: Management of Asymmetric Keys T2: Holliday	P1-P2,P5-P9: Hash Functions P3-P4: X509 Certificates
Nov 7 - Nov 11	T1,T2: Smartcards and PTeID	P1-P2,P5-P9: X509 Certificates P3-P4: Transport Layer Security
Nov 14 - Nov 18	T1,T2: Authentication	P1-P2,P5-P9: Transport Layer Security P3-P4: Smart Cards: PTeID
Nov 21 - Nov 25	T1,T2: Authentication	P1-P2,P5-P9: Smart Cards: PTeID P3-P4: Linux Authentication
Nov 28 - Dec 2	T1,T2: Authentication in Devices and Systems	P1-P2,P5-P9: Linux Authentication P3-P4: Linux Authentication
Dec 5 - Dec 9	T1,T2: OS Security Mechanisms	P1-P2,P5-P9: Linux Authentication P3-P3: Encrypted Storage
Dec 12 - Dec 16	T1,T2: Secure Storage	P1-P2,P5-P9: Encrypted Storage P3-P3: Linux Security Mechanisms
Dec 19 - Dec 23	T1,T2: IEEE 802.11, T2	P1-P2,P5-P9: Linux Security Mechanisms P3-P3: TBD
Jan 2 - Jan 6	T1: No classes T2: TBD	P1-P2,P5-P9: TBD P3-P3: TBD

Rules

Faculty and Lectures

This edition will be lectured by professors João Paulo Barraca, André Zúquete, Paulo Bartolomeu and Alfredo Matos. Teaching staff will be available by email and Microsot Teams, especially during the allocated tutoring slots. The use of the Microsoft Teams platform for direct communication is highly recommended. Official course information will be available in this page, or through the Elearning platform.

Classes will be lectured in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All lecture notes will be made available in both Portuguese and English. Laboratory guides will be provided in English.

Prospecting students should be aware that this subject require some basic knowledge of several topics in the areas of networking, programmimg and operating systems, such as: the Python/C/Java languages, Linux administration and Linux console usage (mostly Debian), virtual machines, sockets, HTTP and HTML, asynchronous applications, hardware architectures.

Attendance

Students can choose to attend the theoretical classes, and is highly recommended they do so every week as it correlates with a good outcome. Attendance to practical classes is mandatory and faults will be recorded.

According to the University rules, students must be present at (at least) 70% of the practical classes. For this edition that results in a maximum of 3 unjustified faults. If a student exceeds the number of faults allowed, he will automatically fail the subject and won’t be allowed at any other evaluation during the current academic year.

Grading

Grading will be composed by two components. Both are mandatory and have a minimum threshold.

Theoretical Component: Relates to the contents lectured during all classes, mostly focusing on the theoretical lectures.
- Option 1: 1 (One) intermediate test (T1), and 1 (One) final test (T2), each contributing with 5 points to the component.
  - Each test will cover half of the contents lectured.
  - Students may access the intermediate test without actually returning it for grading.
  - Returning the intermediate test indicates that the student will follow Option 1.
- Option 2: 1 (One) exam (E1) that covers all contents lectured, and contributing with 10 points to the component.
  - This option is available for students that do not return the intermediate test (T1).
- Dates:
  - Intermediate Test (T1): November 25th, including questions that address all contents until Public Key Infrastructures (PKI) (including), but not SmartCards.
  - Final Test (T2): addressing all contents since Smartcards (including).
  - Final Exam (E1): addressing all contents lectured (T1 + T2).
- Final Theoretical Grade: (T1 + T2) or (E1)
- Minimum points of this component: 3.5 pts (0-10)
  - i.e. $ T1 + T2 >= 3.5 \text{ or } E1 >= 3.5$
Practical Component:
- Development of practical projects by a group of 4 students. Exceptionally, 3 students may be allowed after explicit authorization by the professors.
  - assignments may be awarded a maximum bonus +10% due to the addition of added innovation.
  - In the practical projects, each student will have a pool of 96 hours to allocate as required. This pool can be used to return assignments after the deadline without any penalty. After the pool is exausted, a standard penalty of 0.1 points per hour applies up to 2 days. After the 2 days (48h), the assignment will not be accepted.
- Minimum points of this component: 3.5
  - i.e. $practical >= 3.5$

The following table summarizes the points of each component:

Component	Item	Points
P	Project 1	5
P	Project 2	5
T	Intermediate Test- T1 (option 1)	5
T	Final Test - T2 (option 1)	5
T	Final Exam - E1 (option 2)	10

Supplementary season

The supplementary season takes place from January 26th until February 8th. It is available for all students that failed to obtain at least 9.50 points during the normal season, or 3.5 and one of the components. The remaining students may also access this season, but the University requires an additional administrative process. Grading will be composed by two components, each contributing with 10 points to the final grade.

Theoretical Component : Optional exam (ES)
- Theoretical exam covering all contents lectured, with focus on the contents lectured in the theoretical lectures.
- The final grade will be the maximum between the points obtained in this exam, and the points obtained in the previous exam.
Practical Component: Optional practical project (PS)
- Development of a practical project by one ~or two~ up to four students. Update: This will consist on your previous projects, which you can resubmit with improvements.
- The final grade will be the maximum between the points obtained in this project, and the points obtained in the previous assignments.

Special season

The special season usually takes place in September and is available to students in specific cases. Accessing this season will require an additional administrative process.

Grading will be composed by two components, each contributing with 10 points to the final grade. It follows the same rules used in the Supplementary season.

Students that wish to access this season should contact the faculty staff as soon as possible (e.g July).

Theoretical Component: Optional exam (SSE)
- Theoretical exam covering all contents lectured, with focus on the contents lectured in the theoretical lectures.
- The final grade of the theoretical component will be the grade awarded. There will be no individual parts.
Practical Component: Optional practical project (SSP)
- Development of one or two practical projects by one student.
- The final grade for the theoretical component will be the grade awarded for the first and/or second project.

Additional Content

Software

AirCrackNG: A complete suite of tools to assess WiFi network security.
Bettercap: The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks.
Wireshark: The most popular packet sniffer application.
WebGoat: A deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
Kali Linux: A popular Penetration Testing Distribution.
John the Ripper: A password Cracker.
Hashcat: Advanced Password Recovery tool, especially tailored at OpenCL.
nmap: Probably the most famous port scanner and recognaissance tool.
Pwnagotchi: Deep Reinforcement Learning for Wifi Pwning.

Websites

TryHackMe: Beginner friendly website for cybersecurity training.
GameOfHacks: Identify common programming errors that lead to security issues.
Let’s Encrypt: A free, automated and open Certification Authority.
Bruce Schneier Blog: A very interesting blog dedicate to security and cryptography.
SANS Technology Institute: Best Security Books
Reddit NetSec and NetSecStudents
Reddit NetSec Books Galore
Hacking Secret Ciphers With Python
CVE Details

Books

Misc Resources

These are not directly related to the course syllabus, but somewhat belong to the culture of cibersecurity.