# Security in Informatics and in the Organizations 2015/2016

This page contains the theoretical and practical contents of the SIO course. For last year’s contents, please check prof André Zúquete web page. The contents on this page will be mostly replicated from the last edition but some changes may be made.

## General Information

This subject belong to the 3rd year of the LEI degree, following the description present at the official webpage

This years’ edition will be managed by professor João Paulo Barraca (email: jpbarraca@ua.pt) and assisted by professor Hélder Gomes (email: helder.gomes@ua.pt). Both professors will be permanently available by email, as well as during the allocated tutoring slots.

Classes will be presented in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All content is developed in the English language.

As requirements for this subject, students should be aware that this subject requires a reasonable knowledge and comprehension of several networking, software and operating system topics, such as: the C and Java languages, Linux administration and console usage, Virtual Machines, Sockets, HTTP and HTML, asynchronous applications, hardware architectures.

## Planning

According to the UA calendar classes start at September 14th, and end on December 18th. The subject is composed by a 2h theoretical class and a 2h practical class, making a total of 4 hours per week of lectures. It is expected that students spend an additional 2 hours per week exploring the concepts presented during the lectures. Theoretical classes will present key concepts related to the security of modern systems. The practical classes will be focused in the exploration of these concepts, or in the exploration and analysis of popular security attacks.

On Mondays at 19h, one of the professors will be available for assisting the students in the comprehension of the topics presented, or discussing the elaboration of the practical exercises and projects.

# Date Theoretical class Practical class
1 Sep 14 Introduction Virtual Machines (Linux, Networking, Virtualization)
2 Sep 21 Vulnerabilities Vulnerabilities: XSS and SQL Injection (HTML, HTTP, JS, SQL)
3 Sep 28 Cryptography Cryptography (Python or Java)
4 Oct 5 Cryptography Cryptography (Python or Java)
5 Oct 12 Cryptography Cryptography (Python or Java)
6 Oct 19 Management of Asymmetric Keys SmartCards and PKCS #11 (PTEID, Java or Python)
7 Oct 26 Smartcards: PTEID SmartCards and PKCS #11 (PTEID, Java or Python)
8 Nov 2 Authentication Secure Communications (SSH)
9 Nov 9 Authentication First Project Presentation
10 Nov 16 Security in IEEE 802.11 WN Vulnerabilities: ARP Poisoning (Linux)
11 Nov 23 Security in IEEE 802.11 WN Wifi Security: IEEE 802.1x
12 Nov 30 Network Filtering with Firewalls Secure File Systems (Linux, C or Python)
13 Dec 7 Security in Operating Systems Firewalls with iptables (Linux)
14 Dec 14 Secure and Redundant Storage Security in Operating Systems (Linux or Windows)

Important Dates

• Intermediate Test: November 11nd

### Attendance Rules

Students can choose to attend the theoretical classes, and is highly recommended they do so every week. Attendance to practical classes is mandatory as students faults will be recorded.

According to the current regulation, students must be present at 80% of the practical classes. For this edition that results in 2 unjustified faults. If a student exceeds the number of faults allowed it will automatically fail the subject and won’t be allowed at any other evaluation event during the current school year.

Grading will be composed by two components, each contributing with 10 points (50%) to the final grade.

1. Theoretical Component:
• Option 1: 1 intermediate test, and 1 final test, each worthing half of this component points.
• Delivering the intermediate test implies following Option 1 (i.e. students cannot do the final exam)
• Option 2: 1 final exam that includes all topics, worthing 20 points (in 20)
• Dates:
• Intermediate Test (IT): TBD
• Final Test (FT): TBD
• Final Exam (FE): TBD
• Final Theoretical Grade: (IT + FT) or (FE)
• Minimal grade of this component: 8.50 in 20
• i.e. $$it + ft >= 8.50 \text{ or } fe >= 8.50$$
2. Practical Component:
• Development of one project by a group of 2 students. Exceptionally 3 may be allowed.
• groups with additional members will be penalized by 1 point per extra member ({attach}per project).
• groups with one member will have a bonus of 1 point
• There will be a preliminary delivery, an intermediate presentation, and a final delivery
• Minimal grade of this component: 8.50 in 20
• i.e. $$proj >= 8.50$$

The final grade is composed by the sum of each component.

That is:

$$final = \begin{cases}\frac{t + p}{2} & \text{if } t \in [8.50, 20] \text{ and } p \in [8.50, 20]\ \text{fail due to minimum grade} & \text{if } t \in [0, 8.50[ \text{ or } p \in [0, 8.50[\ \text{fail due to excessive absence} & \text{if } faults > 2 \end{cases}$$

where

$$t = \begin{cases}\frac{test_{intermediate} + test_{final}}{2} & \text{if } test_{intermediate} \text{ delivered}\ {exam} & \text{if } test_{intermediate}\text{ not delivered}\ \end{cases}$$

and

$$p = proj_{d1}\times 0.2 + proj_{d1}\times 0.1 + proj_{d2}\times 0.85$$

with

$$\forall p,t,proj_{d2},proj_{d3},test_{intermediate},test_{final},exam \in [0, 20], proj_{d1} \in [0, 5]$$

Students are considered to pass the subject if their final grade is at least 9.50 (in 20).

### “Recurso”

Grading will be composed by two components, each contributing with 10 points (50%) to the final grade.

1. Theoretical Component: Mandatory theoretical exam

• Minimal grade of this component: 8.50 in 20
• Will replace the grade of the theoretical component obtained during the semester
2. Practical Component: Optional practical project

• Development of one project by single student
• Optional but subject to the following rules:
• The corresponding theoretical exam is mandatory
• Students can only enroll after they completed the corresponding theoretical exam, and achieved a grade of at least 8.50 in 20.

## Theoretical classes

1. Introduction: Slides

• Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Chap. 1
• Segurança Informática nas Organizações, H. São Mamede: Chap. 1
• Segurança em Redes Informáticas, A. Zúquete: Chap. 1
2. Vulnerabilities: Slides

3. Cryptography: Slides

• Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Chaps. 2 & 3
• Segurança Informática nas Organizações, H. São Mamede: Secs. 3.2, 3.4 and 3.6
• Segurança em Redes Informáticas, A. Zúquete: Cap. 2
4. Management of Asymmetric Keys: Slides

5. Portuguese Citizen Card: slides

6. Authentication: Slides

• Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Sec. 4.5
• Segurança Informática nas Organizações, H. São Mamede: Sec. 3.5
• Segurança em Redes Informáticas, A. Zúquete: Secs. 5.3, 5.4.1, 8.6.3, 8.9.2, Cap. 10
7. Security in IEEE 802.11: Slides

• Segurança em Redes Informáticas, A. Zúquete: Cap. 9
8. Firewalls: Slides
9. Security in Operating Systems: Slides

10. Secure and Redundant Storage: Slides

• Segurança Informática nas Organizações, H. São Mamede: Sec. 5.9.1

## Practical Classes

• Project: Software Protection Mechanisms

• Previous versions: v1.0
• Changelog:
• v1.1: Added the delivery dates and added a clarification to Section 1.2
• Virtualization: guide

• Useful resources:
• Vulnerabilities XSS and SQL Injection: guide

• Useful resources:
• Cryptography: guide

• Useful resources:
• Smartcards: guide

• Secure Communications SSH: guide

• Vulnerabilities ARP Poisoning: guide

• X.509 and Mutual Authentication: guide

• Wi-Fi Security (IEEE 802.1x): guide

• Secure File Systems: guide

• Firewalls with iptables: guide

• Security in Operating Systems: guide

## Virtual Machine

Students can use a preconfigured virtual machine ISO images based on Linux Mint, containing most of the software required during the practical classes. There are two flavors of the virtual machine, please select the most appropriate one for your hardware. If you do not know which one to select, get the 32 bits one.

In order to use the images, create a VirtualBox virtual machine and then add the images as CDROM media.

## Exams

Exams from previous editions are available here