A course in hacking computers

Jonathan Jogenfors and Niklas Johansson wanted to offer something different, so they designed the practical exercises for a course in computer security as a game, a competition in which points were awarded at different levels. Did the students think it was fun? Well – what do you think?

Niklas Johansson, Oier Saizar och Jonathan Jogenfors Niklas Johansson, Oier Saizar och Jonathan Jogenfors

 And the winner is…
…Scooby cookies!
Two Spanish exchange students, Oier Saizar and Juan Ramón del Caño Vega, come up to the front and receive their rather unusual prizes – a box of toffees each.

“We wanted to teach computer security in a new and stimulating way. Students learn a great deal more effectively if they get to test things themselves, and don’t just read about the problems they should avoid. We teach them to construct robust systems where they can avoid getting into difficulties,” says Jonathan Jogenfors, course leader.

“Most people know that you mustn’t click on unknown links, but our students learn why,” he says.

Avoiding common mistakes

There is, of course, a serious basis for the light-hearted competition: an ever-increasing amount of our communication, trade and service provision takes place over the internet. Security vulnerabilities are widespread, and hackers are becoming evermore more sophisticated. So it’s important that web designers are aware of the common mistakes and weaknesses and know how to avoid them.

These two courses in computer security are offered at LiU for slightly different target groups. One of them is four credits and the other six, and both consist of lectures and practical exercises. Jonathan Jogenfors and Niklas Johansson, doctoral students at the Division of Information Coding, wanted to take a new approach and designed the practical exercises in the form of a “Capture the flag” competition, where teams were awarded points for completing certain tasks.

The system contained 44 exercises in several fields, all of them related to web security. Twenty-one of the exercises were compulsory: some were relatively easy and some more difficult.
The simplest task was to log in, without knowing the username or password. (Find out how to do this, at least in a poorly designed system, at the end of this article.)

Students worked in pairs and had two months to solve the tasks. The pair that solved a problem first was also awarded a gold medal, the next pair a silver medal, and the third a bronze medal.

“We opened the competition at 3.00 pm on a Friday. One pair had completed the compulsory tasks by 9.00 pm the same day,” says Niklas Johansson.

Collecting medals

Scooby cookies received 2612 points, 8 gold, 10 silver and 9 bronze medals. Second place went to a pair with 2481 points and rather fewer medals.

“I thoroughly enjoyed the course, and the practical exercises were great fun,” says Oier Saizar, third-year exchange student in computer science. “Some of them were quite difficult, but I have played ‘Capture the flag’ before.”

Juan Ramón del Caño Vega is impressed by the progress of his companion.

“Many of the tasks were too difficult for me, but Oier solved them as easily as doing a few sums. The course was, however, extremely interesting. Even if I don’t end up working with computer security, I think this is a course that everyone should take in order to get some idea of what cyberattacks are and how to avoid them,” he says.

Hacking your way into various types of computer system is not, of course, permitted. So the exercises have been carried out on fictive websites in a highly isolated environment.

“We are grateful to LiU IT for their help in creating a securely insulated cell for us, and we have also taken a lot of care to teach the students about the legal situation – what is permitted in cyberspace and what is not,” says Jonathan Jogenfors.

Around 150 students have now taken the courses. The four-credit course is given in Swedish and the six-credit course in English. The shorter course is intended mainly for those taking BSc programmes, and the longer for those taking master’s. The courses are at basic level, and compulsory in some degree specialisations, optional in others. Examiner is Jan-Åke Larsson, professor of information coding. More advanced courses in computer security are given in the Department of Computer and Information Science.

More information on the course in English   TSIT02 Datasäkerhet / Computer Security

How can you log in if you don’t know the username and password? Type in ‘admin’ as username and ‘password’ as password. (Many people coding websites forget to change the defaults.)