Security in Informatics and Organizations 2020/2021

This subject belong to the 3rd year of the LEI degree, following the description present at the official webpage

This edition will be lectured by professor João Paulo Barraca (email: [email protected]), with the support of professor Vitor Cunha (email: [email protected]). Both professors will both be available by email and Discord, especially during the allocated tutoring slots. The use of the Slack platform for direct communication is highly recommended. Official course information will be available in this page, or through the Elearning platform.

Classes will be lectured in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All content is developed in the Portuguese and English languages.

As requirements for this subject, students should be aware that this subject requires a reasonable knowledge and comprehension of several networking, software and operating system topics, such as: the Python/C/Java languages, Linux administration and Linux console usage (mostly Debian and Arch), virtual machines, sockets, HTTP and HTML, asynchronous applications, hardware architectures.

Important Dates

  • T1: TBD
  • T2 and E1: TBD
  • ES and PS: TBD
  • EE and PE: TBD

Theoretical Component

  1. Introduction: Slides-PT, Slides-EN

  2. Vulnerabilities: Slides PT, SLides-EN

  3. Cryptography: Slides

  4. Management of Asymmetric Keys: Slides

  5. SmartCards - PTEID: Slides

  6. Authentication: Slides

  7. Security in IEEE 802.11 WN: Slides

  8. Network Filtering with Firewalls: Slides

  9. Security in Operating Systems: Slides

  10. Secure and Redundant Storage Slides

Practical Component

Applied Security Assignments

These assignments will focus on the content of the practical classes, assessing the analytical and programming aspects of security in information systems. Each assignment will contribute with 2.5 points to the final grade.

Students will have a total grace period of 96 hours after the deadline of the assignments. As an example, returning the first assignment at 7 AM will discount 7 hours from each student in the same team. In the following assignment, the students will only have 89 hours available.

After the grace hours are over, each hour will incur in 0.083 penalty points.

  1. Vulnerability Assessment and Exploitation: TBD
    • Deadline: TBD
  2. Applied Cryptography: TBD
    • Deadline: TBD
  3. Authentication and Access Control: TBD
    • Deadline: TBD
  4. Forensics Analysis: TBD
    • Deadline: TBD

Laboratory guides

  1. Vulnerabilities - SQL Injection

  2. Vulnerabilities - XSS. CORS and CSF

  3. Cryptography

  4. Validation of X.509 Certificates

  5. Smartcards and the Portuguese eID

  6. Secure Communications with SSL

  7. Secure Communications with SSH

  8. Attacks to Wireless Networks

  9. Linux Firewalls

  10. Privilege Escalation and Confinement

  11. Secure Encrypted Storage (to be done autonomously)

Useful Content

Software

  • AirCrackNG: A complete suite of tools to assess WiFi network security.
  • Bettercap: The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks.
  • Wireshark: The most popular packet sniffer application.
  • WebGoat: A deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
  • Kali Linux: A popular Penetration Testing Distribution.
  • John the Ripper: A password Cracker.
  • Hashcat: Advanced Password Recovery tool, especially tailored at OpenCL.
  • nmap: Probably the most famous port scanner and recognaissance tool.
  • Pwnagotchi: Deep Reinforcement Learning for Wifi Pwning.

Websites

Books

Misc Resources

Planning

According to the UA academic schedule classes start on October 6th, and end on January 19th. The subject is composed by a 2 hours theoretical lectures, 2 hours of practical laboratories, and 1 hour of tutoring making, a total of 5 hours per week of contact hours. It is expected the students to spend an additional 2 hours per week exploring the concepts presented during the lectures. It is also expected them to make use of the tutoring times. Theoretical classes will present key concepts related to the application of security to modern information systems, and its application to organizations. The practical classes will be focused in the exploration of these concepts, and in the exploration and analysis of popular security attacks.

The topics lectured in each class should be as presented in the next table. Changes may happen, so please check it frequently.

# Date Theoretical class Practical class
1 Oct 12 Introduction Vulnerabilities: SQL Injection
2 Oct 19 Vulnerabilities Vulnerabilities: XSS and CORS
3 Oct 26 Applied Cryptography Cryptography - Stream Ciphers
4 Nov 2 Applied Cryptography Cryptography - Block Ciphers and Digests
5 Nov 9 Applied Cryptography Cryptography - Asymmetric ciphers
6 Nov 16 Management of Asymmetric Keys Certification Chains
7 Nov 23 Smartcards: PTEID SmartCards and PKCS #11
8 Nov 30 Authentication Secure communications with SSL
9 Dec 7 Authentication Secure Communications with SSH
10 Dec 14 Security in IEEE 802.11 WN Security in IEEE 802.11
11 Dec 21 Network Filtering with Firewalls Firewalls with iptables
12 Jan 4 Security in Operating Systems Privilege Escalation and Environment
13 Jan 11 Security in Operating Systems Confinement
14 Jan 18 Secure and Redundant Storage Secure Encrypted Storage

Grading

Grades will be posted the elearning page. All partial grades presented will be rounded to the hundredths (X.XX).

Attendance Rules

Students can choose to attend the theoretical classes, and is highly recommended they do so every week as it correlates with a good outcome. Attendance to practical classes is mandatory and faults will be recorded. Due to COVID all attendence will be recorded.

According to the University rules, students must be present at (at least) 80% of the practical classes. For this edition that results in a maximum of 2 unjustified faults. If a student exceeds the number of faults allowed, he will automatically fail the subject and won’t be allowed at any other evaluation during the current academic year.

Grading rules

Grading will be composed by two components, each contributing with 50% to the final grade.

  1. Theoretical Component: Relates to the contents lectured during the theoretical lectures and laboratories.
    • Option 1: 1 (One) intermediate test (T1), and 1 (One) final test (T2), each contributing with 50% to the component.
    • Each test will cover half of the contents lectured.
    • Students may access the intermediate test without actually returning it for grading.
    • Returning the intermediate test signals the choice of following Option 1.
    • Option 2: 1 (One) exam (E1) that covers all contents lectured, and contributing 100% to the component.
    • This option is available for students that do not return the intermediate test.
    • Dates:
      • Intermediate Test (T1): DATE TBD, including questions that address all contents until Smartcards (including).
      • Final Test (T2): DATE TBD, addressing all contents since Authentication Protocols.
      • Final Exam (E1): DATE TBD, addressing all contents lectured
    • Final Theoretical Grade: (T1 + T1) or (E1)
    • Minimum grade of this component: 7.0 in 20
      • i.e. $ \frac{t1 + t2}{2} >= 7.0 \text{ or } e1 >= 7.0$
  2. Practical Component:
    • Development of practical projects by a group of 2 students. Exceptionally, 3 students may be allowed after explicit authorization by the professors.
      • groups with more than 2 members will have a penalty of 10%, but assignments may be awarded +10% due to the addition of added innovation.
      • groups with one member will not have any bonus.
    • Minimum grade of this component: 7.0 in 20
      • i.e. $practical >= 7.0$

The following table summarizes the points of each component:

Component Item Contribution
P Assignment 1 12.5%
P Assignment 2 12.5%
P Assignment 3 12.5%
P Assignment 4 12.5%
T Intermediate Test- T1 (option 1) 25%
T Final Test - T2 (option 1) 25%
T Final Exam - E1 (option 2) 50%

Supplementary season

The supplementary season usually takes place in the end of January, and is available for all students that did not obtained at least 9.50 points during the normal season. The remaining students may also access this season, but the University requires an additional administrative. Grading will be composed by two components, each contributing with 50% to the final grade.

  1. Theoretical Component : Optional exam (ES)

    • Theoretical exam covering all contents lectured in theoretical classes or laboratories.
    • Returning this exam will replace the theoretical grade obtained in the normal season, if this grade is higher than the previous one.
    • Minimum grade of this component: 7.0 in 20.
  2. Practical Component: Optional practical project (PS)

    • Development of a practical project by one or two students.
    • Minimum grade of this component: 7.0 in 20.

Special season

The special season usually takes place in September and is available to students in specific cases. Accessing this season will require an additional administrative process.

Grading will be composed by two components, each contributing with 50% to the final grade.

  1. Theoretical Component : Optional exam (EE)

    • Theoretical exam covering all contents lectured in theoretical classes or laboratories.
    • Minimum grade of this component: 7.0 in 20.
  2. Practical Component: Optional practical project (PE)

    • Development of a practical project by one student.
    • Minimum grade of this component: 7.0 in 20.