The second rendition of Cybersecurity 101 event at Te Herenga Waka – Victoria University of Wellington, had very few changes due to the successful format for last year. The day began with a keynote covering the complexity and scaling of systems when dealing with security, by Kate Pearce, Head of Security at Trade Me. Systems are designed for threats and to manage risk; as it’s not possible to stop the attacks from happening in the future. Giving people more access than they need can add to the complexity and challenges of designing security systems – an aspect Kate manages as part of her role at Trade Me. She also reminded the students about how complexity of systems makes it inevitable that humans will make mistakes in the programming or delivery. It’s how you resolve or respond to them that matters.
After that enlightening talk, Justina from ZX Security talked about her journey as an ex-student of the Cybersecurity Engineering degree at Victoria University of Wellington. She only found out about the field while in her second year of software engineering and decided to switch over. Without prior knowledge, she was unsure at the start; but now Justina works as a Penetration tester; an expert who is authorized to run security tests on websites, apps and systems in a company. They are “paid” to “break into a website or apps to find frailties”. Once done, they identify areas that need to be addressed and summarize it as a report for the organisation.
Finding alternate ways to break into systems by bypassing valid user credentials is common and so we ran a lock picking exercise to depict similar scenarios. The ethics of the activity were described before they got into it. Most times, this activity when used in the industry, is guided by two rules: Only pick a lock that you have got permission to pick and do not pick a lock that is in use. The first rule explains why it’s important to be on the right side of the cybersecurity world and the impact it may have if not followed. The second rule covers aspects of existing networks, secure data and private user information that could be jeopardized if picked in use. Students used a variety of tools provided in the kit such as torsion wrenches and different sized picks. There was a smile on faces when locks were successfully picked, bringing them to another valuable lesson about no security being perfect.
Locks and keys work as a pair, they are designed to work together; however, locks can be picked using tools if you understand how the system works. If you are more interested in this, check Lock Picking Lawyer on YouTube.
After a brief morning tea break, students got into ciphers and how they work. Pravin Vaz, Outreach Coordinator for Engineering and CS at VUW, gave a brief introduction on the history of ciphers which dates all the way back to at least 400BCE where military commanders shared private messages with their troops. Enigma was up next for discussion; how physical systems made a difference to the complexity of the cipher and the way Alan Turing and his team at Bletchley Park solved the challenge. Finally, we covered current day ciphers and the impact of Diffie-Hellman’s work in encryption. A small paper-based activity making a Caesar Cipher wheel followed the talk and concluded with discussion around other ciphers such as Vigenère and Pigpen.
Ian Welch, Assistant Professor of Cybersecurity, discussed the differences between course choices in Cybersecurity Engineering vs online and diploma courses. Students do not need to have a degree in the field to get into Cybersecurity; however, it does help as the courses are designed to cover a range of important topics such as Malware, Offensive/Defensive, Cryptography, Digital Forensics along with 800 hours of industry experience at a relevant company. Group projects also allow students to work together on problem-solving real-world issues in cybersecurity. There is also a range of other skills that you pick up along the way in Computer science (Programming, Algorithms, Databases) in the first year that are important in the field and while you don’t need high school programming for the degree, it’s always an advantage.
After Lunch, Ian continued talking about the science of passwords. He gave the analogy of identifying people in a crowd is always a challenge and identifying and making a handshake is vital to continue the discussion later. Over the internet, this happens via public private keys. It’s also an interesting fun fact that most of these explanations about cryptographic systems use ‘Alice’ and ‘Bob’ as characters. To send an encrypted message to Bob in an encrypted email, Alice takes Bob’s public key and encrypts her message to him. This message, when received, can only be decrypted by Bob’s private key.
The final activity, which was also the highlight of the event, was the picoCTF set up by one of our Ph.D students in Cybersecurity, Abdullah Al Mamun. The platform (www.picoctf.org) was built by Carnegie Mellon University as a safe platform to learn cybersecurity skills. Teachers can monitor and visualize learning and progress through an interactive platform which is easy to set up and free to use. The basics of CTF involve certain Linux commands such as WGET which is to get or download files. All these commands can be picked up on the fly, without prior learning. Students worked in teams to solve several hidden messages and got points for their team. They were also allowed to share solutions within their team for no extra points. The winning team was awarded with some cool merch.
There are also other events for students; one worthy of mention is organized annually by CROW (Cybersecurity Researchers of Waikato). Check them out at https://cybersecuritychallenge.org.nz/
We aim to run this one-day event every year around the same time (week before term 2 ends). If you are interested in sending your students for the event or have any questions on how to organise a CTF in your classroom, please get in touch with me at pravin.vaz@vuw.ac.nz