NOTE1: From 2015-2016 this course is not given as telelecture any longer
NOTE2: From 2015-2016 the evaluation method is changed: there is a written exam at the end in addition to the challenges
Who gives this course:
- Sandro Etalle (responsible)
- Davide Fauri, (assistant)
- a few guest lectures.
Semester 1, Quartile 2. Course code: 2IMS20
on Tuesdays, hours 5 and 6 (13.45 -- 15.30)
and Thursdays, hours 3 and 4 (10:45 -- 12:30)
Bureaucracy Students from Nijmegen have to be enrolled at the TU/e,
and enroll in the cursus, via canvas.tue.nl
Slides (which are being updated during the course) and other course material can be accessed
directly at our svn repository here.
- Additional material on writing a metasploit can be accessed
directly at our svn repository here.
- Obligatory reading 1:Analysis of the cyber attack on the Ukrainian
power grid, by T. Conway, R. M. Lee,
M. J. Assante. SANS ICS, 2016. Available at:
- Obligatory reading 2: Framing Dependencies Introduced by
Underground Commoditization, by Kurt Thomas, Danny Huang, David
Wang, Elie Bursztein, Chris Grier, Thomas J. Holt, Christopher
Kruegel, Damon McCoy, Stefan Savage, Giovanni Vigna. Available at
- Obligatory reading 3: Investigation Report for the
September 2014 Equation malware detection incident in the US,
- Obligatory reading 4:
article that describes a safety-related automotive attack on a Jeep by Miller and Valasek
- Obligatory reading 5:
article that describes ransoomware that is targeting in-vehicle
environments by Escrypt
- Obligatory reading (lecture of Luca Allodi): Workman,
Michael. Wisecrackers: A theory-grounded investigation of
phishing and pretext social engineering threats to information
security. Journal of the Association for Information Science and
Technology 59.4 (2008): 662-674. Available at
(or similar address, look for it on the internet, possibly from
the TU/e network).
- Obligatory reading (lecture of Luca Allodi): Branch, Federal
Network Resilience Cybersecurity Assurance. Unintentional Insider
Threats: Social Engineering. (2014). only the sections: 3, 5,
6.1, 6.2, 6.3 Available at
- Obligatory reading (lecture of Luca Allodi): Framing Dependencies
Introduced by Underground Commoditization by Kurt Thomas et al.
Available at https://cseweb.ucsd.edu/~savage/papers/WEIS15.pdf
- For the part on ransomware:
- Bruce Schneier on the Equifax Hack https://www.schneier.com/crypto-gram/archives/2017/1115.html
Grading is determined by a combination of assignments (50%), a written
exam at the end of the course (50%).
- There is no test exam. Why? There are very few things that change as fast as
cyber-attacks. Therefore, the content of this course
changes literally every year, making it impossible for us to have a test
exam that would be relevant for more than one edition of the
- The questions on the written exam are obviously on the whole
program covered by the course, therefore including guest lectures. The exam is not open boek. Expect open questions;
they could be on anything discussed during the lecture, including (but not limited to):
on how to carry out a certain attack on a given (outlined) system, on giving a security assessment on a given system or situation,
on reasoning about types of attacks and countermeasures, on the strenghts and weaknesses of systems we have discussed in the lectures, on how a certain attack is/has been/could be carried out ...
- Challenges: they are given during the course. To calculate the scores,
it counts both how many exercises you solve and when (the earlier,
the better). The deadline for submitting the solutions to the
challenges is December 15 The buffer overflow, the format
string, the command
injection and the client-side controls and session management challenges are not considered in the grading (they
are there only for "fun").
Challenges are thoroughly explained during the lectures. Students are expected to complete at least some of them at seclab1.win.tue.nl:8080.
We do NOT expect students to be able to solve all the challenges. Many of the challenges are very difficult; in particular, the Format String Challenges are completely facultative and not counted in the final grade.
When grading the challenges, we take into consideration when a
challenge is solved: solving a challenge the days after it has been
made available counts for the full score. Solving a challenge just
before the final deadline counts 50% of the score (linear
degradation). The precise formula we are going to use this year is
the following one: The level 0 MySQL challenge is worth 0 points.
All other MySQL and XSS challenges are worth 0.8 points, while RFI/LFI challenges are worth 0.5 points.
For each day of delay wrt the 21/11/2017 we apply a discount on the vote equal to 2% (the discount takes in consideration not only days, but also hours, minutes, seconds, so if you turn in something one minute after midnight it is almost like turning it into at 1 minute before midnight).
Exercises turned into after the midnight of 15/12/2017 count zero.
I reserve the right to slightly modify this formula.
- Exam: this is a new part. The exam is compulsory and in order to
pass the course you need to score at least a 5 on the exam. The
exam is three hours long.
- Alternative Practical Task (instead of the exam + practical
exercises) We are looking for max 3 students who can help with
setting up our new Security Operation Center, and perhaps one or
two reverse engineering job. The candidates should be people who
already master XSS, SQL injections and (to some extent) buffer
overflows (do not cheat, I am going to check). If you want to be
considered for this, please send me an email (by November: 15 today
or tomorrow); after the lecture on Nov 16 I will meet at 12:30 with
the candidates and discuss how to proceed). The procedure will be
the following: first I individually interview the candidates (and
check if they have the required knowledge). Then, with the selected
candidates we have to define the project they will work at and the
timeframe of the project.
NEW the reverse engineering task (sponsored by
SecurityMatters) is described here.