CS78 Secure Server Installation & Administration

David Morgan
Santa Monica College
see syllabus for email address

Administrativa

Syllabus

Grade reports

Course outline 


DETER net testbed
  home
  get/use an account
  FAQ
  tutorial
  news report (pbs)


General Information

RFC lookup

Remote Unix access with ssh

TCP/IP Pocket Reference Guide

TCP/IP paper - "Intro to the IP Protocols"

Wireshark doc
html   pdf

ntop overview

Sockets: socket programming

Sockets: sample programs
 - letter-upgrader server
 - letter-upgrader's client

Encryption article
(DES, public-key)

encryption
calculator

filesystem encryption


Linux

Fundamental Unix Commands

vi - the Visual Editor

File permissions

FALL 2017
Section 4493 6:45p - 9:50p Wednesday, Business Building room 263

This Website (http://homepage.smc.edu/morgan_david/cs78/) will be used to communicate with you. Announcements, grade reports, and assignments will be posted here. The site can be viewed from an internet-connected browser anywhere. You are responsible for awareness of the information posted here.

Thank you - for taking this course. It looks like cybersecurity will remain of  relevant interest and concern to us as individuals and society for the indefinite future. You understand it better than 95% of the population. I hope you will be able to use your knowledge to your benefit. (12/15)

Other classes I teach - are known to you from the main website front page. There, you can see the class-specific pages from recent semesters for a fully concrete idea what they are.

CS40 - Operating Systems (3hr credit, next offered Spring 2018)

CS41 - Linux Workstation Administration (3hr credit, next offered Fall 2018)

CS70 - Network Fundamentals and Architecture TCP/IP networking (3hr credit, next offered Spring 2018)

CS75 - Network Protocols further depth and variety beyond CS70 (2hr credit, next offering unscheduled.)

I also teach related courses at UCLA Extension including a new one on shells and shell scripting (UCLA's fall quarter, September) and a "linux intermediate" which amounts to system administration topics that go beyond my SMC CS41 curriculum.. They are more costly than those of community college, but are public and available. (12/15)

If you want to learn a lot of linux in a little time - I recommend the SCaLE 16x (Southern California Linux Expo) held Thursday - Sunday March 8-11, 2018. It's intense, inexpensive, local. (12/15)

Legality, encryption, privacy - a few interesting perspectives. (12/15)

Test - to be done outside/online via Canvas, as described in class tonight. (12/13)

Extra Credit Assignments (optional)
Extra credit 1 - tunnels
do tunnels/VPNs as detailed in course outline section 12
Important: you need to make an adjustment. Our project is known to DETER by the name SMC-CS78. The instructions don't know that, they think it's USCCsci530. Wherever you see the latter in any instruction, substitute the former.

Extra credit 2 - encryption modes
read
- material about encryption modes from course outline section 9
listen - podcast about encryption modes from course outline section 9
do - encryption modes homework in course outline section 9

Either/both of these two, should you choose to do them, will be accepted through Friday December 22   

(12/13)

Deadline extension for previously assigned homework
Assignment 6 homework - was assigned 11/29 but with no due date given. 3 of the 4 assignments ask you to turn something in.
Previous assignments - that you my not have completed.
These will be accepted through Friday, December 22 if you care to work on them that long. (Sooner is better.) Call to my attention via email anything you turn in, so that I'll be aware of it. Otherwise it can't get graded. (12/13)

Grades - posted at link, upper left, entitled "Grade reports." Includes past assignments, and place-holders for the assignments that are eith yet to be recorded (because not yet due) or extra credit. The cumulative average does not incorporate these latter. They are shown to indicate what further work you should expect to do. Please call any anomalies to my attention. (12/13)

Grades - posted at link, upper left, entitled "Grade reports." Includes past assignments, and place-holders for the assignments yet to be recorded for the remainder of the course. The cumulative average does not incorporate the latter. They are shown to indicate what further work you should expect to do. Please call any anomalies to my attention. (11/22)

Exam - Wednesday, December 13 in our classroom 6:30pm

Devices, etc. - understanding distinctions among these entities is fundamental to understanding what you are encrypting when you perform data storage encryption.

Western Digital manufactures hard disks
Given a hard disk, grub manufactures a partition table
Given a partition table , fdisk manufactures a partition
Given a partition, mkfs manufactures a filesystem
Given a filesystem, vi manufactures a file (11/29)

Assignment 6 -
read
 -
readings about Secure Shell (ssh) and Diffie-Hellman key exchange,  course outline section 10 reading column
 - "filesystem encryption" reading, course outline section 14 reading column

listen - to the recorded lectures on
  - "ssh - secure shell," course outline section 10 slides column
  - "key exchange," course outline section 10 slides column
  - "Diffie-Hellman key exchange" discussion,  course outline section 10 reading column

do
 - RSA encryption 2, course outline section 10 homework column
 - the "GNUPrivacyGuard" exercise, course outline section 9 homework column. Do this in your CentOS-6.4 virtual machine.
 - the "Primitive roots" assignment in course outline section 11 homework column
 - the encrypted filesystems exercise, course outline section 14 homework column - due 
(11/29)

VeraCrypt successor to TrueCrypt - TrueCrypt was a widely used open source data encryption tool whose developers abruptly and without explanation "left town" one day in 2014. VeraCrypt is a fork, using TrueCrypt's source code and extending it. Speculation is that TrueCrypt's developers may have been required to desist from their project by law enforcement, to whom the product's effectiveness was daunting. VeraCrypt's website features a "warrant canary" link. Visit it. What is that for? Why is it there? (11/29)

Binary-to-text encoding - is why gpg keys are so funny looking! The keys themselves have arbitrary binary content. So you can't print them. Nor use them with protocols that don't handle what you can't print (email). For such problems, there are a number of encoding scheme solutions to map arbitrary binary bytes into a subset of bytes that are all printable. gpg uses one called Radix-64 (almost identical, better known as, base64). From a text or stream, it divides every 3 consecutive bytes (24 bits) into 4 units (6 bits apiece). Printing 8-bit units would require 256 distinct characters whereas printing 6-bit units would require 64. We don't have 256 characters. We have about 100. So while we don't have enough to go around for 256 values, we can accommodate 64 of them: with conversion we can print anything. (11/29)

Authentication without confidentiality - below is one of our slides. What's the stuff in the red box?

Note there is no encryption of the data, the purpose is not to obscure the data but to make certain it came from Fedora. (11/29)

Assignment 5 -
read
 -
the "stack buffer overflow" material, course outline section 11 reading column

listen - to the recorded lecture on
  - packet filter firewalls, course outline section 7 slides column

do - the firewall construction experiment on DETER, course outline section 7 homework column - due on sputnik by end-of-day Sunday 12/3
do
- the application security exercise, course outline section 11 homework column - due on sputnik by end-of-day Sunday 12/3 (11/22)

Jet Propulsion Lab summer internship opportunities - Application deadline December 8. Public talk at SMC December 5. If you might want to apply please ask me for links to some application material and forms. (11/22)

Current events - our author Bruce Schneier testified before a congressional committee. Some vulnerabilities in Intel's motherboard Management Engine appeared. See Schneier's blog, also the SecurityNow podcast talked about both in the past 2 weeks. (11/22)

Grades - posted at link, upper left, entitled "Grade reports." Includes the assignments Simplified-Data-Encryption-Standard and one-time pad. Please call any anomalies to my attention. (11/22)

Assignment 4 -
read
 - restated from last week:
the readings in course outline sections  4, 5, and 6
  
in particular section 6's reading on "Simplified DES" bears directly on this week's s-des homework (below)
 - links under heading "GNU Privacy Guard" course outline section 9 reading column
 - link under heading "RSA public-key algorithm" course outline section 10 reading column

listen - to the recorded lectures on
  - GNUPrivacyGuard (gpg), course outline section 9 slides column
  - RSA algorithm, course outline section 9 slides column   

do
 - the exercise at the link entitled S-DES algorithm in the homework column
    of course outline section 6 - due on sputnik by end-of-day Tuesday 11/21
 - RSA encryption 2, course outline section 10 homework column - (delayed a week)
 - one-time pad exercise, course outline section 7 homework column - due on sputnik by end-of-day Tuesday 11/21
   
 (11/15)

Grades - posted at link, upper left, entitled "Grade reports." Please call any anomalies to my attention. (11/15)

Forthcoming homework - to be assigned next Wednesday to be done the following week will include course outline section 10's "RSA encryption 2" exercise, wherein you will manually operate the RSA asymmetric encryption algorithm. (This is done "under the hood," not manually, by encryption software like tls which supports https.) Anticipate this assignment. (11/8)

Assignment 3 -
read
  the readings in course outline sections  4, 5, and 6

 listen - to the recorded lectures on
  - cryptography, course outline section 6 slides column
  - s-des operation example, course outline section 6 slides column
  - "audio clips", course outline section 6 homework column (on s-des by
    Villanova's Prof. Rick Perry)

do - see Course outline topic 5, homework column. There, do both the activities you are asked to "perform." One, about message digests or hashes, the other cracking passwords with hashcat.
 message digests - due on sputnik by end-of-day Sunday 11/12
 
password cracking - due (one part by email, one part on sputnik) by end-of-day Tuesday 11/14
 (11/8)

Available - if you are interested, my polyalph script demonstrating polyalphabetic substitution (where substitution of a symbol with some 2nd symbol does not always use the same 2nd symbol). It is in the /home/public directory of sputnik. (11/8)

Available - if you are interested, my covertping_transmitter.sh and covertping_receiver.sh scripts demonstrating a covert channel.. They are in the /home/public directory of sputnik. (11/2)

Assignment 2  
read from textbook
 a - chapter 6 "Filesystems and Security"
 b - pp. 600-610 in the section of Chapter 19 "Defending Accounts" entitled "Administrative Techniques for Conventional Passwords."
 c - pp 850-61 about processes and the ps command that reports on them; read this at a scan level, not to learn the detail in the tables and figures but the concepts in the narrative
read additional resources
 this page about file permissions
 the link at left entitled "Remote Unix access with ssh"
 the Craig Rowlands covert channel page link in course outline section 2

 listen - to the recorded lectures on
  process UID control (su, sudo, SUID), course outline section 3
  authorization (filesystem permissions), course outline section 4
    (if you took CS41 you may already be familiar with this)
  message digests, course outline section 5 (beginning of cryptography topic)
  also the message digests discussion at the link at the top of the homework
   column in course outline section 5 (the "'message digests' exercise" right
   below it is going to be part of your homework next week)

do the exercise in the course outline section 3's "Homework" column about process UID control. Due on sputnik end-of-day Sunday 11/5.
do - the DETER familiarization activity in course outline section 4's "Homework" column.
We will use DETER next week for a "real" exercise, namely the one in course outline section 5 entitled "Cracking passwords with hashcat." Scan/anticipate/think about it.
(11/1)

Notes on stools homework - It was assigned last week (see 10/25 "Assignment1" link below) without specified due date. Please do it (send required email message/attachment to me) Due to me by email per the assignment by end-of-day Tuesday 11/7 

The Windows XP virtual machine requires you to obtain the stools program via network from a website, therefore needs to be internet-connected. It will be, provided that 1) your host machine (the one in which you installed VMware and run Windows XP as a guest) is itself connected and 2) there is a DHCP server in your local network. If you have any standard ISP service there will be, coming from the device that the ISP placed in your home or office.

Then, run Firefox in XP and go to the stools assignment on our course outline. It contains a link from which you can obtain s-tools4.zip. You need to extract the files it contains. Start Windows Explorer (keystroke sequence windows-key followed by E will do it). Go to My Documents then Downloads. You will see s-tools4.zip. Right click on it, and in the resulting context menu choose 7-zip then "Extract to 's-tools4\'. Enter the reaulting s-tools4 directory. Double click on S-Tools.exe to run the stools program. You're on your way.  (11/1)

Internship opportunity. (10/26)

Career information event Nov 7. (10/26)

Whats wrong with the premise here? (10/25)

Security sites and blogs - follow these during this course. Visit each at least once a week, read and listen to what you find there, guided by what interests you.
 Schneier on Security     Krebs on Security      Exploit Database
 Security Now podcast   SANS Institute semiweekly Newsbites  (10/25)

Email messages sent earlier to students collectively in recent weeks:
 Sept 12   Oct 11   Oct 14   Oct 18   Oct 23    (10/25)

Assignment 1
 -
see/do the homework column of section 1 of the course outline
 - do the steganography homework using s-tools in the homework colum of section 2
 - listen to the narrated lecture at the link entitled "Users" in the Slides column of section 2
 (if you took CS41 you may already be familiar with this)
 - listen to the narrated lecture at the link entitled "Passwords" in the Slides column of section 5    (10/25)

Practicum - a couple CS78 students in a previous semester classes expressed specific interest in practice as opposed to theory. Specifically, "I run a server and I want to learn what I need to do to it to give it better security." This course has a rich curriculum, but it isn't primarily a vocational how-to. However I think it would be fun to spend a little time on the side taking a virgin machine, installing an OS on it from scratch with security considerations in mind. In following weeks as we study various topics we may learn some things we could do to harden it. It will be unstructured. I have an available laptop and will install Fedora 17 on it as demonstration. (Things that may come up: setup passwords, bootloader password, disk encryption, streamlined service set, firewall, 2-factor authentication, TPM.)

Passwords we can apply when setting up our scratch laptop:

where created? where stored? which password? what value?
in Setup motherboard
ROM chip
administrator/setup passadmi
in Setup motherboard
ROM chip
system passsyst
in Setup disk firmware (inside disk) hard disk passdisk
in Anaconda
installer
within
bootloader
bootloader passgrub
 in Anaconda
installer
within disk
partitions
disk encryption passphr1

(10/25)

 

First-day administrative information you will need to know:

Procedures for using class laptops

A Remote Unix system account will be created for you.

Distributing files from sputnik to the class as a whole,  publicly - the above file transfer discussion describes file movement to and from your own home directory, exclusive to you. Sometimes I will want to have someplace to put a file so everybody can get to it and download it. When I do that, here's how to download them.

Using ssh (secure shell). ssh is an important tool you will use for interacting with remote computers. For that you will need an ssh client. There are a number of ssh client alternatives.

Running linux at home.

Slides available online - for most if not all slides I will show in class. Links to them can be found in the "Slides" column of the course outline.

Textbooks - Practical Unix & Internet Security, 3rd Edition; Simson Garfinkel, Gene Spafford, Alan Schwartz, O'Reilly & Associates, 2003, ISBN 0596003234

Secrets and Lies, 15th Anniversary Edition; Bruce Schneier, John Wiley and Sons, 2015, ISBN 9781119092438

Opportunity - I'm happy to tell you that as a class we have the fortunate invitation to use a network testbed facility operated by USC/ISI called DETER. I will request individual DETER accounts for you; when they are created you will get an email message with info and credentials. In class I will describe DETER and how we will use it. This will come some weeks into the semester. In the meantime, you can explore the links under the heading "DETER net testbed" at left if you like.

DETER assignments - there will probably be 4:
  - firewalls
  - arp spoofing
  - computer forensics
  - tunnels & VPNs

Introductory - this class, this website
Thank you for your interest in this class and its subject matter. Computer security is current, evolving, important, and fascinating.

This is a hybrid class, half on-ground and half on-line. I plan to use several online vehicles:

- a static website
- recorded, narrated slide presentation lectures
- virtual machines, local and/or remote
- the DETER remote network testbed

More information about these will follow. As for what's on this website, there is more material on it than we will necessarily use.

The primary "home" of the course is this website. Assignments and announcements will be posted here. I suggest you check regularly.

Operating system platform for studying computer security - doesn't matter! Security is operating-system-agnostic. Individual operating systems have their particular security characteristics and vulnerabilities but broad security concerns and topics span platforms and devices. For example, password strength and cracking are the same no matter where a password might be implemented. The implementation of a password system will differ between two OS's but a strong or weak password is strong or weak wherever it is, intrinsically. Having said that, I am knowledgeable about linux and will tend to use it as the primary operating system environment where work in this class will be done. There will be some use of Windows. Knowledge of linux will be a big help to you, however exercises are usually designed to give you the commands you are supposed to run, in order to reveal whatever lesson I'm trying to convey. So, you don't have to know linux commands deeply because I'm going to give you the ones you need when you need them.

Categories of security to be studied
The one that gets the headlines is network security. The way I look at it, there are 4 areas:

- local security
- network security
- application security
- routine maintenance - prevention, detection, recovery

An example of local security is physical access-- whether a machine sits behind locked doors or not. Another is password strength. Those are considerations independent of the network, if any. An example of application security is a flaw in code, for example a stack overflow opportunity due to the way the code is written. This permits some side-effect behavior/result unintended by the programmer, classically a way to gain the privileges of the root/administrator/supervisor/superuser found in most operating systems. That's a shortcoming of the application. This problem too, like physical security or password strength, is unrelated to the network, if any. And "routine maintenance" practices to detect or prevent problems (security hardening, anti-virus software), detect them (intrusion detection, disk analysis), and recover from them (backup regimens, log analysis, failover systems), are not specific to networks either. The network attacks in the news are dramatic and sexy, but though computer security encompasses concern for network security, my point is that it goes well beyond it. For a list of specific topics under these categories see the link entitled "Course description" under the Administrativa heading at upper left.

The class plan is to devote some initial time to some introductory concepts and "review" of important local security foundations having to do with resource/file access control-- users, processes, permissions. These are aspects of system administration (if you took my linux class at SMC this is in part review). But they are security aspects of the operating system environment. Indeed user authentication and resulting file access control are a cornerstone of system security. We simply could not omit them from a security class. Thereafter we'll cover some foundations of networking as we need to know them. After that comes all the other stuff. The "Course description" and the links on this page give you pretty good hints what we'll study. And the "Course outline" tells you in concrete detail.

I may post certain lectures, which I expect you to listen to. They consist of narrated powerpoint slides. You need an up-to-date browser and Flash installed. The lectures are fairly heavy, multi-megabyte files. Be patient while they load. If you have a slow connection go listen to them on a faster one (e.g., SMC computer lab would do). After they load they will play. Another alternative is to download them (they are mp3 files) and listen to them with your local media player software. You must click to advance slide-to-slide.

My assumptions about you -
the formal prerequisite is that you took CS70, my SMC class about computer networking. If not, but you have alternative exposure to the concept of network frames/packets and computer addressing you will probably be OK. In particular, I will take that in consideration and make grading allowance in that case should you let me know that you are uncertain about your networking background and tell me a little bit about it. For my email address please see the "Syllabus" link at upper left. In general, this is a relatively advanced course. Somebody who chooses to take it probably doesn't do so casually, and knows a fair bit about computers already or wouldn't be interested. I assume you are generally a technically inclined and experienced person.

My assumptions about your equipment-
I assume you have access to a Windows machine on which you are free to install software. You need access to a linux machine but I'm going to give you that virtually and/or remotely. Windows won't be used extensively but some of the exercises I want to assign do use it. Again, if you don't have a Windows machine please let me know.

Thanks for coming. I think we'll have fun.


Tommy Flowers


Colossus - 1944

 

Enigma