topic # Topic Reading Homework Slides
1

8/30/12

breadth and spectrum of the field

operating systems' resource access controls as a foundation

steganography

Read Schneier (approx 400 pages, narrative, easy reading)

Garfinkel textbook:
chapters 1-3 (scan)
chapter 4
 "Users, Passwords, and Authentication"
chapter 5
 "Users, Groups, and the Superuser" 

1 - review class website, esp. the links entitled "Syllabus" and "Course description"
2 -
get/order the 3 textbooks (per "syllabus" link on main page)
3 - read the material in the "Reading" column at left
4 - review (optionally) the slide presentations at the links entitled "general considerations" and "users/processes/resources" at left.
5 - per instructor, obtain copies of VMWare virtual machines as platforms for some of our exercises; install VMWare on a computer available to you on which to run these VMs
6 - as a tourist, visit the informational links listed at left under the heading "DETER net testbed". Gain initial familiarity with DETER at casual level. We will arrange DETER accounts for you shortly.
7 - listen to this narrated lecture about user accounts 
8 - view setup security screenshots from Dell Latitude D620 laptop

general considerations

users/processes/resources

secure boot

steganography

2

9/6


 

steganography
user accounts

in-class demo
 - s-tools

in-class exercise
 - Disabling users

-

do
-steganography - use s-tools in Windows to create an image file containing an embedded text file. Get s-tools here. Be guided closely but not completely by the instructions at the link entitled "steganography" in the assignments column of the main web page. Assuming your name is John Smith (substitute your own real name), please name your files
  smith.bmp and
  smith.txt
In the txt file, put the sentence, naming you, like "my name is John Smith". The image file itself should be sunset.bmp, produced from sunset.bmp. Embed the text file into the image file, using password "password" and encryption algorithm IDEA. email to me the resultant file attached to a message entitled "steganography" (I will use an email filter based on that title, if you name it something else I won't get it). Email it to my private email address, not my SMC address. You get credit if I can extract your text file and read your name. (In the assignment as written up at the "steganography" link, ignore the 2nd portion about covert channels. The assignment was written for use in a slightly different setting. Follow it in terms of its step-by-step for using s-tools but not in terms of the assignment administration. Those just described here are the ones that apply for this class. In particular ignore the questions at the end. The assignment can be done on your Windows machine, or on my delivered VMware Windows virtual one you installed in Assignment 1. Be aware that some anti-malware tools may dislike s-tools. If yours does, turn it off if you are not uncomfortable doing so. You have every right to be and it's wholly your call. Else, use the VM.)

Users

3

9/13

processes

in-class exercise
ProcessUID control
 version 1 - local

read from textbook
 a - chapter 6 "Filesystems and Security"
 b - pp. 600-610 in the section of Chapter 19 "Defending Accounts" entitled " Administrative Techniques for Conventional Passwords."
 c - pp 850-61 about processes and the ps command that reports on them; read this at a scan level, not to learn the detail in the tables and figures but the concepts in the narrative
read additional resources
 the link at left entitled "File permissions"
 the link at left entitled "Remote Unix access with ssh"

su, suid, sudo and process UID control
perform the exercise at the link entitled "version 1 - local" under the heading "ProcessUID control" at left. You can do it on your fedora 7 VMware virtual machine.
getting the needed files - the assignment asks you to acquire 2 files. They are available in the /home/public directory on sputnik.smc.edu.  Use the method described here.
submit  - When you are finished, answer the 3 questions at the end. Submit your answers following these preparation and submittal instructions (you will use scp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "uid.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.
processes

ProcessUID control

4

9/20

authorization read from additional (non-textbook) sources
 a - the link entitled "File permissions" at left
 b - Part 1 and part2 of an article from IBM about passwords. Don't worry about the parts where specific code examples are analyzed (unless particularly interested). Note the article's suggestion to utilize dice for composing passwords in order to achieve "a completely random distribution of passwords of a given length." Randomness is a virtue, and dice achieve it better than any computer.
 c - a discussion of the importance of randomness for producing "perfect passwords" at Gibson Research Corporation.
visit - sites for a couple of password safes, products where you put a password on your collection of passwords.
  Password Safe
  LastPass
  podcast discussion about LastPass  

road-test your DETER account by doing the exercise at

http://homepage.smc.edu/morgan_david/cs78/smc-deter-account.htm

You need send me nothing for this, I can see as a DETER administrator. We'll use DETER more seriously later. This is just to get you familiar with it first.

 
authorization

 

5

9/27

authentication

message digests (hashing)

least-need

in-class exercises
Pluggable authen-
tication modules
 PAM

least-need principle (stripping unneeded services)
 SysVinit version
 systemd version

read - article about Linked-In password leak implications

read - from textbook, chapter 7 "Cryptography Basics"

message digests:
listen to this discussion about message digests (cryptographic hashes). It's is a 34 minute conversation, of which you can skip the last 14 minutes for our purposes. Just listen to the first 20 minutes.
perform - the "message digests" exercise.
It asks you to acquire a file called "makebigfiles." It resides on the server, in /home/public/. Do this assignment while logged in to your account on sputnik.smc.edu, in your home directory (there, you could get the file just by a local copy operation). Don't delete the files created while performing the assignment. I will look for them in your home directory later to evaluate you.
passwords:

Cracking passwords
John the Ripper (2)

Cracking passwords
with hashcat

perform - the hashcat version of the above "Cracking passwords" exercise. Use the kali-linux virtual machine found in file kali-2015.zip. There are copies of it in /home/public on both sputnik.smc.edu and unexgate.dmorgan.us. Please retrieve it with scp via command line or filezilla utility. Use it under VMware. When unzipped, kali-2015.zip yields a subdirectory named "kali-2015" in which are all the files VMware needs. Bring up kali linux in VMware. kali linux has hashcat pre-installed.

This exercise has several parts. Do them all. When finished, maximize your command window and dump the file hashcat.pot to the screen with the command:
  cat  hashcat.pot
submit - two results to me from this exercise. First, take a screenshot of your screen showing the hashcat.pot dump in the command window and send it to me as an email attachment. Be sure to 1) send it to my personal address, not my smc address, and 2) title the message "hashcat" or it will get lost, 3) make sure you put your name in the message or I'm unable to give credit to you. Second, consider the 2nd question at the bottom of the exercise and use the Mandylion spreadsheet as it asks. Then answer these questions, which recapitulate the exercise's 2nd question (refer to it in answering these):
  1. the length of the numbers-only password that requires at least 50 years to crack, in characters, according to the spreadsheet, is:
  a. 12  b. 15  c. 17  d. 19  e. 24
  2. with today's computing power (what is "today's"? refer back to the page for the exercise), the length of the password that requires at least the rest of your life to crack, in characters, is:
  a. 12  b. 15  c. 17  d. 19  e. 24
  3. accounting for the continued operation of Moore's law, the length of the password that requires at least 50 years to crack is:
  a. 12  b. 17  c. 19  d. 24  e. 28
  4. the shortest "mixed character" password that'll last 50 years, in characters, is:
  a. 12  b. 17  c. 19  d. 24  e. 28
Submit your answers to the preceding 4 questions following these preparation and submittal instructions (you will use file transfer to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "passwords.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.

Pluggable Authentication Modules (PAM)

Passwords

User authentication alternatives

message digests

6

10/4

cryptography read - the write-up at "Simplified DES" 
listen - to the two audio clips (see the icon) "1. SDES - Simplified DES" and "3. SDES Mangler Function." Optionally, also hear "8. Cipher Block Chaining."
do - the assignment at link entitled "S-DES algorithm". The assignment asks you to perform the S-DES algorithm on paper and turn in the paper. Do not turn in any paper, but please do perform the assignment on paper nonetheless. I have created some multiple-choice questions about your solution, and posted them as >>>your assignment here<<<. Submit your answers to those questions following these preparation and submittal instructions (you will use sftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "sdes.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.

cryptography

s-des backgrounder

s-des operation example

7

10/11

firewalls

cryptography

read - this article about one-time pad (perfect, unbreakable) encryption


do
- the firewall construction experiment on DETER, found at the link entitled "firewall construction (on DETER)".
Please note:
  a) you should use the right network specification file, which is this one (firewall6.ns) not the one(s) shown within the assignment itself.
  b) the names of this project, and the one for which the instructions were written, differ. Our project is known to DETER by the name SMC-CS78. The instructions don't know that, they think it's USCCsci530. Wherever you see the latter in any instruction, substitute the former (e.g., where told to execute:
 cp /proj/USCCSci530/exp/server4.c  /root
execute instead:
 cp /proj/SMC-CS78/exp/server4.c  /root  )
c) the instructions invite you to contact a Netgear router on the internet. It died and is no longer available.
d) the instructions end by assigning you questions to answer. Don't answer the questions. Instead, I have recast them in a multiple-choice form and posted them as >>>your assignment here<<<. Submit your answers to those questions following these preparation and submittal instructions (you will use sftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "firewalls.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.

one-time pad
do the one-time pad exercise
submit  - When you are finished, answer the questions at the end. Submit your answers following these preparation and submittal instructions (you will use scp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "otp.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.


packet filter  firewalls

stream and block ciphers (stream)

 

8

10/18

cryptography

arp spoofing (a man-in-the-middle attack)


read - from textbook chapters 11 and 12. Chapter 11 "TCP/IP Networks" should come in large measure as review to you. Chapter 12 "Securing TCP and UDP Services" is long, and covers a range of security considerations. Some of them are general but many are specific to particular services. The latter part of the chapter devotes a page or two to each of a dozen common services, describing it and its own unique security related characteristics. Read these chapters over the course of the next 3 or 4 weeks. They relate loosely to the network related class lectures and activities (e.g., firewalls and arp spoofing)

read - an explanation of arp spoofing

 

for reference:

rfc defining arp protocol

home page, ettercap project

man pages for arp, arping, ettercap, tshark


Arp spoofing
(DETER)

You need to make a couple of adjustments. Our project is known to DETER by the name SMC-CS78. The instructions don't know that, they think it's USCCsci530. Wherever you see the latter in any instruction, substitute the former (e.g., where told to execute:
 cp /proj/USCCSci530/exp/server4.c  /root
execute instead:
 cp /proj/SMC-CS78/exp/server4.c  /root  )

The questions for you to answer are the following, which are the same ones found at the end of the exercise in non-multiple-choice form, recast into multiple-choice form.

 1. ARP poisoning of node4 from node1
 a. can be done the same way as ARP poisoning of node0 from node1
 b. can be done the same way as ARP poisoning of node2 from node1
 c. can be done the same way as ARP poisoning of node3 from node1
 d. cannot be done from node1

 2. At the end of section 6 the question is posed,"How does traffic between node2 and node0 get from node2 to node0?" Under the circumstances of that section, how??
 a. via/through node1
 b. via/through node3
 c. via/through both node1 and node3, duplicate copies being sent
 d. via no other nodes than themselves

 3. Consider the question "How?" that appears at the end of section 7. Recall that node2 logged into ftp on node4 and somehow node1 figured out the user password given by node2. How??
 a. the password that node2 issued to node4 transited node1 on the way from node2 to node4, and node1 decrypted it
 b. node2 broadcast the password for node4, and node1 decrypted it
 c. the password that node2 issued to node4 transited node1 on the way from node2 to node4, and was unencrypted
 d. node2 broadcast the password for node4, and it was unencrypted

 4. Imagine you run a web hosting company. The manager at one of your clients, a medium sized business, calls you in alarm and reports the apparent defacement of his website running on your host machine. Images on the site have all been replaced with various hacker images like the laughing skull. He heard about it from several of his employees, then saw it with his own eyes on their terminals. His website has fallen victim to the same mischief as the one on our node4. What is your course of action?
 a. temporarily block access to the web server machine that contains the customer's site, while you diagnose the site's corruption
 b. examine the site's constituent files within the web server machine, to pinpoint (and fix) the corrupted ones
 c. both a and b
 d. no action, because the site isn't corrupted

Submit your answers to the preceding 4 questions following these preparation and submittal instructions (you will use ftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "arpspoof.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.

 

Japanese Naval Code JN-25

stream and block ciphers (block)

arp spoofing

9

10/25

cryptography


GNU Privacy Guard:

 GPG (GNU Privacy Guard) official page

 GPG Mini HowTo

 GNU Privacy Handbook

 RFC2440 - OpenPGP message format

 Enigmail  

Encryption modes:

 block cipher modes of operation

 listen to Security Now podcast episode #183 "Modes of Encryption" from 50:45 to 1:18:07

do the assignment entitled "GNUPrivacyGuard". There are no questions to answer and nothing to turn in. But importantly this will familiarize you with how GPG works. You will need that familiarity to apply GPG in doing the upcoming follow-on assignment (GPG, community).

do the portion of the "GPG, community" assignment in the paragraph entitled "Preliminary task: sign and circulate/upload/publicize a copy of the gettysburg address".
 You can obtain gettysburg.txt by sftp/scp from sputnik.smc.edu's "public" account, password given in class.
  As a commonly accessible file-exchange mechanism among class members for this assignment, use the account "common", password given in class, and sftp/scp to up- and download files from common's home directory on the server. Upload both your gpg-created key for this assignment and your signed copy of gettysburg.txt. (If operating from the class server itself, as opposed to a private machine remote from it, you can still use scp using the server machine's own address 127.0.0.1 for that of the target machine.)
I will process the student uploads and deposit resultant files in the "common" home directory for you to do the next step in the assignment. When I have done so and all is ready, I will notify you. Then, you will be able to proceed and do the assignment's "Part 1" and "Part 2."

do - encryption modes


GNUPrivacyGuard (gpg)

RSA algorithm

10

11/1

cryptography
in-class exercise:
 RSA encryption 2

secure shell
in-class exercises:
 
ssh key setup
 ssh file access

key exchange

RSA public-key algorithm
read
the section entitled "RSA: The Most Used Asymmetric Algorithm" in "Asymmetric Cryptography" (http://www.informit.com/articles/article.aspx?p=102212&seqNum=4)

Secure Shell (ssh)
read the textbook's coverage of ssh, pp 341-346
visit
 "Getting started with SSH"
 "OpenSSH FAQ"

Diffie-Hellman key exchange
 - one article
 - another article

listen to this discussion about Diffie-Hellman key exchange.. The conversation is 37 minutes. The first 14 minutes concerns Diffie-Hellman. The rest is about public-key cryptography. Listen to the Diffie-Hellman segment. Optionally, to the rest.

do the portion of the "GPG, community" assignment in the paragraph entitled "Part 1 - signing".
In the server's /home/common ("common" account's password given in class) your signed copies of the gettysburg address have been or will shortly be renamed, per the assignment. You can now proceed to figure out who signed each one and submit "signers.txt". The students who signed these files have all published their public keys to us (by putting them in /home/common where they are at our disposal).

do the portion of the "GPG, community" assignment in the paragraph entitled "Part 2 - encrypting".
In sputnik's /home/common I have or will shortly put a file for each of you, bearing your name and encrypted with the public key you gave me (by uploading it into /home/common). You can now proceed to decrypt that file. Credit for this part of the assignment is given when you reveal to me what I encrypted for you, by telling me verbally or emailing it to me.

do the assignment at the link entitled "RSA encryption 2". Perform it on your server account or on your linux VM. When asked to choose 2 prime numbers, make sure you choose them large enough that their product is no less than 100. The assignment produces a file named "outfile". Please submit it to me by placing it in your "assignments" subdirectory on the server. Retain the values you generated for keys in this exercise (e.g., don't delete outfile) because I will ask you to use these keys again in a follow-on assignment. (I plan to encrypt something for you with the public key you give me in "outfile", then expect you to decrypt it. You'll need your matching private key to manage that, so retain it. Doing this assignment accomplishes the first 3 steps of the follow-on assignment, which is "Using RSA"

do the assignment at the link entitled "Primitive roots"

 

ssh - secure shell

key exchange

11

11/8

cryptography

application flaws

Stack buffer overflow:

Hackin9 magazine article Overflowing the stack on Linux x86 by Piotr Sobolewski

GNU debugger (gdb) documentation


Sign extension code flaw in crypt_blowfish:

a bug in a library of code called crypt_blowfish. It applies the blowfish block cipher algorithm to the task of hashing passwords. It was utilized as the tool for doing that in some linux distributions (not fedora). The bug was there since about 1998 until patched in 2011. It substantially weakens the passwords it processes. It was found while trying to crack some passwords with John the Ripper.

 discovery (1996)
 rediscovery1 (2011)
 rediscovery2
 rediscovery3
 
Security Now podcast - “Anatomy of a Security Mistake”
 audio
 transcript

 

do the assignment at the link entitled "Primitive roots"

do the assignment at the link entitled "Using RSA", using your private key to decrypt a message from me. Of the 8-item list at the beginning of the assignment, you accomplished the first 3 steps last week when you performed "RSA encryption 2". You generated a key pair. Then you published your public key to me when you put your "outfile" containing it within my reach in your assignments directory. I have since or will shortly perform step 4, encrypting a random string with your public key. All my random strings are 3-character uppercase-alpha strings. 

The assignment calls upon you to get files:
  ciphermessage-<yourname>  [containing a string encrypted by me using your pubkey]
  decr  [script to process above file, yielding the string]
Both can be found in the home directory of user "public" on the server (password for account "public" given in class).
Get your "ciphermessage" file then decrypt it using the "decr" script and your private key, per the assignment. You could transfer files and do this on your own linux machine, or you could do it just as well in place on the server itself where the files already are. To get credit: tell me what your random string is at our next class meeting.

optionally explore - the stack overflow demonstrated in class - the environment suitable for reproducing and playing with it is in the form of a VMware virtual machine. The virtual machine is in the file "Snort on Centos 4.3 minimal-with-gdb.zip". That file can be found in the home directory of user "public" on sputnik. Here are instructions for causing/observing the stack overflow within that environment (they can be expected not to work in other environments). The sample files are in the /root directory, within your virtual machine.

(review, reinforcement of above 4 topics gpg, rsa, ssh, diffie-hellman)

Application security (stack overflow, representing the category)


12

11/15

tunnels/vpns

 

IP-over-IP rfc's
 "IP in IP tunneling"   "IP encapsulation within IP"

SSH
 "Getting Started with ssh”

free clients for Windows
 puTTY
 OpenSSH

stunnel

 stunnel homepage

 "SSL Encrypting Syslog with Stunnel" article

OpenVPN

 "OpenVPN project"

 wikipedia article

 client for Windows

DETER "Tunnels and vpns" assignment

The instructions were written for a different class. They largely apply with a couple of exceptions.

First exception: do not use the network specification files offered within the instructions. Rather, use one adapted for this class. There are two of them. The first sets up Fedora machines within DETER, the second Ubuntu. 

DETER has relatively more available machines able to run Ubuntu. That means when DETER is under heavy use you'll have a better chance of swapping in your experiment if you use the Ubuntu version. On the other hand, the Fedora version is tried-and-true and the Ubuntu one is brand new Nov 2012. I suggest you use the Ubuntu one, contact me if you observe fundamental problems, and use the Fedora version as fallback. DETER is particularly busy right now (mid-November 2012).

Here are the 2 ns files:

 network specification (ns) file for Fedora nodes

 network specification (ns) file for Ubuntu nodes

Second exception: our project is known to DETER by the name SMC-CS78. The instructions don't know that, they think it's USCCsci530. Wherever you see the latter in any instruction, substitute the former.

With those two caveats, here are the instructions to follow:

Tunnels and vpns (DETER)

You need not answer the questions found at the end of the assignment. I will grade you by 1) observing the presence of evidence on DETER that you did the assignment, and 2) screenshots you turn in. However, as a self-measurement, read the questions and see whether you think you understood their points or not.

What to turn in:

When you reach the point early in the assignment where you have opened 5 terminal windows connected to your 5 experiment nodes, print out a screenshot of it that looks like the one in the instructions.

When you reach the point in the assignment section about OpenVPN "Scenario 1: routed tunnel, unencrypted," print out a pair of screenshots showing the tunnel endpoint connection dialogs, just like what you see in the instructions.

Send me the two screenshots as email attachments.


Tunnels and vpns

13

11/29


forensics
peruse article on digital forensics for an overview Computer forensics (DETER) computer forensics
14

12/5


storage encryption

in-class exercise:
 encrypted filesystems

write-up entitled "filesystem encryption." It has 4 links at the bottom. Read them too ( except for the last one, concerning FreeOTFE).

article on the Truecrypt vacuum

listen to this discussion about Truecrypt. You can skip over the initial 14-minute conversational chit-chat and start listening at the beginning of the description of the Truecrypt product.

visit some websites
Truecrypt's website
The truecrypt audit  Truecrypt audit completed
successors TCnext VeraCrypt CipherShed

view - the slides entitled "sshfs - remote filesystem." What relation does the ssh file system bear to encrypted filesystems? to encryption?

do the assignment at the link entitled "truecrypt". Where asked to get files, obtain them from the home directory of user "public" on sputnik.. You are supposed to submit to me a file you create, and to send me information about a file of mine. Do so by sending me a single email message. Make your file an attachment, and include the required information within the message. Make sure the message title is "Assignment 13 Truecrypt". I will use an email message filter that finds such messages and that's what I will grade. If you title your message differently your assignment may get lost. Send your message to dmorgan@world.oberlin.edu (not to my smc.edu address please).

backup onto an encrypted filesystem