Guest Speakers:

Nathan Fisk, Ph.D.

Dr. Nathan Fisk, Ph.D., is an Assistant Professor of Cybersecurity Education in the USF College of Education. He also serves as the Community and Outreach Liaison for Cyber Florida, a state-funded organization dedicated to positioning Florida as a national leader in cybersecurity through education and workforce development, interdisciplinary research, and community outreach.

Tony Urbanovich

Tony Urbanovich is the CEO / President of Cyber Insight LLC. He has provided cyber security, privacy, governance, risk and compliance program design, implementation and management services for numerous U.S. and international clients including small-medium businesses, large enterprises, a global top hedge-fund, and executive-level government clients.  He has held multiple executive leadership roles, including Chief Operating Officer for CyberGRX, Vice President of Security Assurance for American Express, Principal on Booz Allen Hamilton’s commercial cyber security team, and Vice President, Privacy, Ethics, and Compliance at ChoicePoint (acquired by Lexis Nexis)

Jake Mihevc

Jake serves as Dean of STEM transfer program at MVCC, a CAE2Y. Jake is also the Director and PI of the Northeast Regional Resource Center for the CAE program. Jake leads the cybersecurity programs at MVCC, which began in 2010 with a 2.8M non-credit grant program that provided free training to over 2,200 participants and culminated in a 155-student CAE-designated Cybersecurity AS program in 2016. Jake is also a co-founder of the Central New York Hackathon, a regional cybersecurity competition that brings over 100 students from eight cybersecurity programs together each semester to test their skills

To learn more about the CAE in Cybersecurity, visit the following site: https://www.caecommunity.org/

Cyber Bytes: Cryptocurrency

What is cryptocurrency? 

To put it simply, cryptocurrency is a form of currency that is only available digitally, and it relies on cryptographic processes to record financial transactions. Alright, let’s say you’re using cryptocurrency – how can you make sure that your account information is kept secure and private? The key to this are private and public keys!  When you own cryptocurrency, you actually own a private key, which allows you to spend or do whatever you wish with your cryptocurrency. You also have a public key, which is what other people can use to send cryptocurrency to you. Only you can access the money sent to your public key address, since you have the corresponding private key with it. It’s possible to recover your public key if you own the private key, however it is impossible to find the private key with only a public key. This is why it is so important that you keep your private key in a very secure location, like a hardware wallet.

Distributed Ledger System & Decentralization

 In order to keep track of all the money everyone owns, we rely on a  distributed ledger system through blockchain technology. A ledger is a record for financial transactions. For example, if you pay your friend $10, then your friend pays another friend $5, then you receive $20 from another friend – all those transactions could be written down and documented on a ledger. But where is this ledger stored, and who controls what’s added onto it?  To take away the issue of trusting one person to keep track of all of this, the ledger is distributed amongst everyone, and anyone can view and make their own modifications to it. This goes into the concept that cryptocurrency is decentralized, meaning that there is no single entity or government overseeing all these transactions. 

Walking Through a Transaction (Hashes and Proof of Work)

Alright, so let’s walk through how a transaction actually works. Let’s say you want to send your friend one bitcoin, which is a type of cryptocurrency. Along with the bitcoin, you include your friend’s public key address, and then use your private key as a “digital signature” to sign and verify that you actually want to make this transaction. Using SHA-256, a cryptographic hashing function, all this data then gets turned into a hash, which basically looks like a keyboard smash of a long string of random characters composed of 256-bits, ensuring that random people can’t just go in and reverse the hash to get your data.  Now, at the end of the list of transactions on your ledger, a 32-bit number gets randomly generated. Once this whole thing is applied to SHA-256, a new hash is generated, which when given the right 32-bit number, will start with a huge number of zeros. Now, in order to verify this message, we must find that specific number that when applied to the hash, the output would start with the same number of zeros. Because SHA-256 is a cryptographic hash function, there are roughly 4 billion possible numbers that must be randomly tested until the right combination of the 32-bit number and the hash get found. This is where cryptocurrency miners come in to randomly run billions of numbers. This is called “proof of work”, as you can verify that a large amount of work was done to find that specific number. 

Blockchain

Now, instead of calling it a “ledger”, let’s call it a “block”, which is what the transactions and the proof of work are organized into. A block is only considered valid if it has a proof of work. Once blocks are verified, they are put on a chain, and have to contain the hash of the previous block. If any block is changed or the order is changed, it would change the hash of the block and all the blocks following it, requiring miners to redo the proof of work and find a new specific number for all of the blocks, which is what helps keep cryptocurrency transactions secure. Once blocks are all chained together like this, we call it a “blockchain”, where every single transaction is recorded on the blockchain. After we can verify your transaction on the blockchain, your friend can finally receive the message with their private key, and receive your message. 

Which Blockchains Do We Trust?

Along with the concept of decentralization that I mentioned previously, it’s important to note that everyone can have their own copy of the blockchain and add and make changes to it. Therefore, if you’re receiving two distinct blockchains with conflicting transaction histories, you would choose the longest one, which is the one with the most proof of work. Since everyone agrees that the most valid blockchain is the one with the most proof of work behind it, a central authority is not needed to regulate the system. So let’s say if you want to trick your friend and pay him one bitcoin. You only send that message to your friend without telling anyone else in the network, that way everyone but your friend still believes that you have that one bitcoin. In order to successfully trick your friend, you would have to find a valid proof of work before all the other miners. If you do, your friend could believe that your block is actually valid. However, all the other miners would eventually find the right proof of work, and since all blocks on the blockchain contain the history and hash of the previous block, you would have to keep updating your fraudulent blockchain quicker than all the other miners, meaning that you would need more than 50% of the computing resources of all the other miners combined. Since that is practically impossible, your friend will trust the blockchain with the most proof of work, and they would eventually realize that yours is incorrect. This means that you should not automatically trust the latest block that is added onto the blockchain, instead, you should wait for several more blocks to be stacked on top of it.  

Current Events with KuCoin

If you want to do some more research on current events in the cryptocurrency world, KuCoin, a cryptocurrency exchange service, was hacked of over $281 million in September of 2020, and it is said to have been one of the largest cryptocurrency security breaches in history. In this event, hackers obtained the private keys linked to the company’s hot wallets, which is basically a storage for cryptocurrency that has a constant connection to the internet.

If you want the slides from the presentation, here it is!

For more information check out the following resources:

Cryptocurrency Overview: 

• https://www.cisecurity.org/spotlight/ei-isac-cybersecurity-spotlight-cryptocurrency/ 
• https://www.nerdwallet.com/article/investing/cryptocurrency-7-things-to-know 

Cyber Risks of Cryptocurrency:

• https://newsroom.cnb.com/en/personal-finance/wealth-protection/cybersecurity-risks-of-cryptocurrency.html#disclosurecoincheck

Private and Public Keys:

• https://btcdirect.eu/en-gb/what-is-a-private-key
• https://www.ledger.com/academy/blockchain/what-are-public-keys-and-private-keys

Blockchain:

• https://builtin.com/blockchain
• https://www.investopedia.com/terms/b/blockchain.asp

KuCoin Hack:

• https://www.forbes.com/sites/thomasbrewster/2021/02/09/north-korean-hackers-accused-of-biggest-cryptocurrency-theft-of-2020-their-heists-are-now-worth-175-billion/?sh=7515baf05b0b
• https://www.entrepreneur.com/article/357172 

Technology Corner – CAE National Competition

The competition is oriented towards students who are new to cybersecurity competitions, and will include an extensive training and practice environment, regional competitions, and the National Finals to be held at the 2022 CAE Executive Leadership Forum. The challenges within the competition will be CAE-sourced to allow each of the unique facets of cybersecurity education to be components of the competition. The first CAE National Competition will be held throughout the 2021-2022 academic year and is designed to increase student and faculty engagement with competitions throughout the CAE program. 

Here is a general overview of the competition and what you will be learning!

Linux

• Linux is a tried-and-true, open-source operating system released in 1991 for computers, but its use has expanded to underpin systems for cars, phones, web servers and, more recently, networking gear.
• Popularity of Linux is because of the following reasons:
  • It is free and open source. We can download Linux for free and customize it as per our needs.
  • It is very robust and adaptable.
  • Immense amount of libraries and utilities.
• Resource to start learning: https://linuxjourney.com/

MySQL 

• MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL). SQL is the most popular language for adding, accessing and managing content in a database. It is most noted for its quick processing, proven reliability, ease and flexibility of use.
• CAE Emphasis: Maintaining Database Read and Write access
• MySQL Resources: https://www.mysqltutorial.org/

SMB 

• SMB is a communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism.
• CAE Emphasis: Maintaining Samba File Share Read and Write access

FTP 

• The File Transfer Protocol is a standard network protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client-server model architecture using separate control and data connections between the client and the server.
• CAE Emphasis: Maintaining FTP severe Read and Write Access over SSH

DNS – Domain Name System

• DNS is a is a naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities.
• CAE Emphasis: Maintaining Forward and Reverse Lookups for the student manage infrastructure

SSH – Secure Shell

• SSH or Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH.
• CAE Emphasis: Maintaining Users’ Remote Access to an SSH server

Web Content 

• Make sure PHP code is secure! It might have some vulnerabilities. PHP (recursive acronym for PHP: Hypertext Preprocessor ) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
• CAE Emphasis: Maintaining Functionality of database-backable vulnerable PHP application

WebSSL

• SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.
• CAE emphasis: Enabling valid, signed SSL certificates for Web Application

Link to slides if you want them.

Watch the CAE National Competition Presentation: https://www.youtube.com/watch?v=vnPdZBA13os 

Cyber Opportunities

CAE Resources

Here are some resources that are provided by the CAE community: 

CAE Website

You can check out the CAE website and if you go under resources you can see three sources that are affiliated with them. They are Gencyber, ATE center resource, and the National Initiative for Cybersecurity Careers and Studies aka (NICCS). You can check these out as well as many of them have other opportunities as well.

Visit the CAE website: https://www.caecommunity.org/

CAE News

If you check out their News tab, there is an opportunity that I thought was cool that you can do this year. All from your home which makes sense as we are still in the pandemic sadly. But back to the topic. They are offering an internship at NIST. It is designed to inspire undergraduate students to see careers in STEM through a research experience that supports the NIST mission.

View CAE news: https://www.caecommunity.org/content/news

Tech Talk

They also provide the CAE Tech Talk. It is live through Zoom where members of the CAE community give technical presentations on cybersecurity related topics to the rest of the CAE in the Cybersecurity Community. You can find more information under the resources tab on their website, and go to the CAE Tech Talk Resources tab.

CAE Tech Talk Page: https://www.caecommunity.org/content/cae-tech-talk-resources 

Visit Cisco Networking Academy: https://www.netacad.com/