Information Security is a general interest of mine and this was a course I’d been eyeing off for awhile now. The course covered many different concepts around information security, both technical (encryption, password security) and procedural (history of encryption, PCI-DCSS). Topics studied include:
- Historical cryptography
- Modern cryptography
- Cryptographic Hashing and collision resistance
- Password Hashing and Salting
- Symmetric Cryptography
- History
- Mathematics of Public Key encryption (RSA)
- Certificates and Signature Chains
- TLS/SSL
- Asymmetric Cryptography
- DES/Feistal Cypher, AES, Block mode encryption
- CBC, ECB, CFB
- Authentication Protocols
- Multi-factor authentication
- HTTP authentication
- SSH
- Lamport’s Hashed Password Scheme
- Biometrics
- Quality
- Verification/Identification Modes
- False Accept Rate vs False Reject Rate
- Matching Score and Probability Density Functions
- Comparisons of Biometric Systems
- Information Theory and Huffman Encoding
- Lattice-based access control modelling, Bell-LaPadula model
- Holistic Security and PCI-DSS
- Networking and Wireless Security, Cloud Security
Assessment
The assessment in this course consisted of a few interesting assignments and a final exam. The first assignment was small and actually kind of fun, the second was a writing and research assignment, and the third an interesting exercise in password cracking.
Assignment 1
The first assignment was a small, introductory task to research IEEE referencing standard, revisit Linux security and solve a simple puzzle.
The main task was to log in a remote server with using a login allocated to each student, find a special file. Then discover how the filename was chosen and change the filesystem permissions. I found this task quite fun, particularly when I successfully discovered the trick.
Assignment 2 – Research Report
The second assignment was a research report into C-ITS misbehaviour detection and threats.
REVIEW the current literature in Information Security in Co-operative Intelligent Transport Systems (C-ITS) and misbehavior detection in C-ITS. Provide a concise (1500-2000 words) report that includes the following.
- DESCRIBE THREE of the many THREATS involving misbehaving communications in C-ITS (explain why each is a threat).
- DESCRIBE the current state of research into misbehavior detection in C-ITS.
- PROPOSE How Australia can detect misbehaving C-ITS communications?
Initially I found the assignment, particularly the second part, confusing because I’d never done research analysis before and this topic was quite broad, one which I’d have to research and understand myself before writing about. While researching the threats to C-ITS though, I found a couple of other research reports from other academics and transport authorities. These provided a few other threats and prior research into misbehaviour detection. Then I chose a few, reading the original research cited and analysed its quality. Finally, I had enough knowledge and understanding of the problem to actually propose a solution.
As it turns out, my writing, research and proposal were in the top three in the class! My lecturer wanted to post it on the class website as an example of a research report, and pass it on to someone at the Department of Transport.
Research-Report-Anthony-CarrickAssignment 3 – Password Cracking
The final assignment could be done in groups and was to attempt to use software tools to crack the Linux password file from the server instance in Assignment 1.
My group (pair technically) used John the Ripper together with Kali Linux on a VM to try to crack the password hashes. Of course the password hashes are one-way so all the software does is try to hash suspected passwords and see if the resulting hash matches the hash we have. The software has rules to combine dictionary words with punctuation and numbers, or particular subsets of words or numbers so it doesn’t have to hash literally every single permutation of every letter and symbol and number!
So the assignment task was try to use the existing software and various rules both included and our own making to try to crack as many passwords as possible. At the same time we also had to write a report documenting what we found, techniques and rules used, and why the password was found to be insecure.
Final-version-of-Assignment3-Redacted-2