# Information and Organizational Security 2018/2019

This page contains the theoretical and practical contents of the SIO course. For last year’s contents, please check prof André Zúquete web page.

## General Information

This subject belong to the 3rd year of the LEI degree, following the description present at the official webpage

This years’ edition will be managed by professor João Paulo Barraca (email: jpbarraca@ua.pt), and lectured in coordination with professor Vitor Cunha (email: vitorcunha@ua.pt). Both professors will both be available by email and Slack (#security), especially during the allocated tutoring slots.

Classes will be lectured in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All content is developed in the English language.

As requirements for this subject, students should be aware that this subject requires a reasonable knowledge and comprehension of several networking, software and operating system topics, such as: the C/Python/Java languages, Linux administration and console usage (mostly Debian and Arch), virtual machines, sockets, HTTP and HTML, asynchronous applications, hardware architectures.

## Planning

According to the UA calendar classes start at September 17th, and end on December 21st. The subject is composed by a 2h theoretical class and a 2h practical class, making a total of 4 hours per week of lectures. It is expected that students spend an additional 2 hours per week exploring the concepts presented during the lectures, and should make use of the tutoring times. Theoretical classes will present key concepts related to the security of modern computer systems, and its application to organizations. The practical classes will be focused in the exploration of these concepts, and in the exploration and analysis of popular security attacks.

On Tuesday at 14h, the professors will be available for assisting the students in the comprehension of the topics presented, or discussing the elaboration of the practical exercises and projects.

# Date Theoretical class Practical class
1 Sep 17 Introduction Vulnerabilities: LAN security
2 Sep 24 Vulnerabilities Vulnerabilities: XSS and SQL Injection (HTML, HTTP, JS, SQL)
3 Oct 1 Cryptography Cryptography (Python or Java)
4 Oct 8 Cryptography Cryptography (Python or Java)
5 Oct 15 Cryptography Cryptography (Python or Java)
6 Oct 22 Management of Asymmetric Keys Certification Chains
7 Oct 29 Smartcards: PTEID SmartCards and PKCS #11 (PTEID, Java or Python)
8 Nov 5 Authentication Secure communications with SSL
9 Nov 12 Authentication Secure Communications with SSH
10 Nov 19 Security in IEEE 802.11 WN Security of WEP in IEEE 802.11
11 Nov 26 Security in IEEE 802.11 WN Project Preparation and Review
12 Dec 3 Network Filtering with Firewalls Firewalls with iptables (Linux)
13 Dec 10 Security in Operating Systems Privilege Escalation and Confinement
14 Dec 17 Secure and Redundant Storage Secure Encrypted Storage

Grades will be posted the elearning page. All partial grades presented will be rounded to the hundredths (X.XX).

### Attendance Rules

Students can choose to attend the theoretical classes, and is highly recommended they do so every week. Attendance to practical classes is mandatory and students faults will be recorded.

According to the current regulation, students must be present at 80% of the practical classes. For this edition that results in a maximum of 2 unjustified faults. If a student exceeds the number of faults allowed, it will automatically fail the subject and won’t be allowed at any other evaluation event during the current academic year.

Grading will be composed by two components, each contributing with 10 points (50%) to the final grade.

1. Theoretical Component:
• Option 1: 1 intermediate test, and 1 final test, each worthing half of this component points.
• Delivering the intermediate test implies following Option 1 (i.e. students cannot do the final exam)
• Option 2: 1 final exam that includes all topics, worthing 20 points (in 20)
• Dates:
• Intermediate Test (IT): November 9th, 2018, Anf V, 14:30h-15:30, addressing all contents until Smartcards (inclusive)
• Final Test (FT): TBD, addressing all contents since Authentication Protocols
• Final Exam (FE): TBD, addressing all contents
• Final Theoretical Grade: (IT + FT) or (FE)
• Minimal grade of this component: 8.50 in 20
• i.e. $it + ft >= 8.50 \text{ or } fe >= 8.50$
2. Practical Component:
• Development of one project by a group of 2 students. Exceptionally 3 may be allowed after explicit authorization.
• groups with additional members will be penalized by 1 point per extra member ({attach}per project).
• groups with one member will have a bonus of 10%
• groups with three members will have a penalty of at least 10%
• There will be only a final delivery
• Minimal grade of this component: 8.50 in 20
• i.e. $proj >= 8.50$

### “Recurso”

Grading will be composed by two components, each contributing with 10 points (50%) to the final grade.

1. Theoretical Component : Optional exam

• Theoretical exam covering all contents lectured or experimented
• Minimal grade of this component: 8.50 in 20
2. Practical Component: Optional practical project

• Development of the project by two students
• Minimal grade of this component: 8.50 in 20

The following description was not coherent with what was agreed during the lectures and should not be considered.

1. _Theoretical Component_: Mandatory theoretical exam
+ Minimal grade of this component: 8.50 in 20
+ Will replace the grade of the theoretical component obtained during the semester

1. _Practical Component_: Optional practical project
+ Development of one project by single student
+ Optional but subject to the following rules:
* The corresponding theoretical exam is mandatory
* Students can only enroll after they completed the corresponding theoretical exam, and achieved a grade of at least 8.50 in 20.


## Theoretical classes

1. Introduction: Slides

• Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Chap. 1
• Segurança Informática nas Organizações, H. São Mamede: Chap. 1
• Segurança em Redes Informáticas, A. Zúquete: Chap. 1
2. Vulnerabilities: Slides

3. Cryptography: Slides

• Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Chaps. 2 & 3
• Segurança Informática nas Organizações, H. São Mamede: Secs. 3.2, 3.4 and 3.6
• Segurança em Redes Informáticas, A. Zúquete: Cap. 2
4. Management of Asymmetric Keys: Slides

5. SmartCards - PTEID: Slides

6. Authentication: Slides

• Security in Computing, 4th edition, C. P. Pfleeger, S. L. Pfleeger: Sec. 4.5
• Segurança Informática nas Organizações, H. São Mamede: Sec. 3.5
• Segurança em Redes Informáticas, A. Zúquete: Secs. 5.3, 5.4.1, 8.6.3, 8.9.2, Cap. 10
7. Security in IEEE 802.11 WN: Slides

• Segurança em Redes Informáticas, A. Zúquete: Cap. 9
8. Network Filtering with Firewalls: Slides

9. Security in Operating Systems: Slides

10. Secure and Redundant Storage: Slides

• Segurança Informática nas Organizações, H. São Mamede: Sec. 5.9.1

## Practical Classes

Project: Assignment

• November 15th - Provide a written description of the security mechanisms to be used. No implementation is required and it will not involve any grading.
• December 31st - Final delivery of the code and report through CodeUA
• 1st week of January - Presentation and demo of the solution implemented
• January 25th - Final delivery of the code and report through CodeUA for the Recurso season.
• Last week of January - Presentation and demo of the solution implemented

• Vulnerabilities - ARP Poisoning: guide, aux slides1, aux slides2

• Vulnerabilities - XSS and SQL Injection: guide, resources, aux slides1, aux slides2

• Cryptography: guide, aux slides1, aux slides2

• Validation of X.509 Certificates: guide, aux slides

• Smartcards: guide, aux slides

• Secure Communications with SSL: guide, PTEIDCerts

• Secure Communications with SSH: guide

• Attacks to WEP: guide

• Linux Firewalls: guide

• Privilege Escalation and Confinement: guide, server.c

• Secure Encrypted Storage: guide

## Virtual Machine

Students can use a preconfigured virtual machine (distributed in a compressed format), containing most of the software required during the practical classes.

In order to use the image, create a VirtualBox virtual machine and then add the image as a Disk. To optimize performance and disk space, select the options to use the Host Cache, and to set the disk as a Solid State Drive.

## Exams

• T1: November 9th, 14.30, Anf V
• T2 and E1: January 22nd 2019, 10.00, Anf. 2.1.10, 2.1.11
• ERecurso: February 8th 2019, 15.00, TBD

Exams from previous editions are available here