CST3607 Class Notes 2021-08-26

Meeting in Zoom

• When: Aug 26, 2021 08:00 PM Eastern Time (US and Canada)
• You should have received an e-mail at your CUNY CityTech e-mail as listed in Blackboard.
• Or you can go to our class section in Blackboard. The Zoom information is in Content > Information

Pelvic Exams Without Consent is Legal!

Stay Informed! News Sources

Studying & Learning Tips

The Final Exam will be on Thursday: December 16, 2021 at 8PM

News & Tools

• Identity Theft Spikes Due to COVID-19 Relief
• Downdetector: Real-time problem & outage monitoring
• Cybrary – Free IT & Security Training
• The Privacy Paradox Challenge: A week of challenges with thousands of other “Note to Self” podcast listeners Feb 6-10.
  • Government Secrets Worth Leaking… or Keeping? Note to Self (Vault-7 & Stingray)
• Surveillance Self-Defense is Electronic Frontier Foundation (EFF)’s guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices.
• security.txt: “When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. Security.txt defines a standard to help organizations define the process for security researchers to securely disclose security vulnerabilities.”
• Microsoft Windows and Office ISO Download Tool: Use this tool to download genuine Microsoft Windows disk images (ISO) directly from Microsoft’s servers, as well as Microsoft Office for Windows and Mac.
  • Use Rufus to create a bootable USB flash drive from the ISO.
• PoisonTap: exploiting locked computers over USB
  • PoisonTap – siphons cookies, exposes internal router & installs web backdoor (reverse tunnel) on locked/password protected computers using a $5 Raspberry Pi Zero and Node.js.
  • Raspberry Pi Zero (YouTube.com)

Notes

• The Class Web page is located at ConsciousVibes.com (Do Not use the www. prefix!)
  • Select the “City Tech” menu, on the right.
  • All assignments, reading and written, will be posted only on the class Web page
  • Assignments will never be posted on Blackboard.
• Make sure that you can log into Blackboard and access our class section as soon as possible.
  • Exams and quizzes will be administered via Blackboard
• Free ESL, GED, Job prep classes are available from the Office of Adult & Continuing Education

Principle of Least Privilege

• Why You Should Not Run as an Administrator or Root User
• How to Change Your Admin Account to a Standard User
  1. Create a new local account that’s an administrator, with a strong password.
  2. Log in under the new local administrator account to verify that it’s working properly
  3. Change the account type of your original account to a Standard user
  4. Log in under your original account, that is now a Standard user.
  • When elevated rights are needed, UAC will prompt for the administrator account password.
• 94% of Critical Microsoft Vulnerabilities can be easily Mitigated (Computerworld)
  • Avecto Microsoft Vulnerabilities Report
    • The report makes the compelling case for least privilege, finding that of the 235 Critical vulnerabilities reported in 2017, 80% would be mitigated by removing local admin rights from users.

Malware (short for malicious software. e.g. Virus, Trojan Horse, Worm, Adware, etc.)

• The key to solving the malware problem is avoidance, not detection and removal.
• Rootkit : You can never be sure you’ve removed all traces of a rootkit. The only way to be certain that your system is clean of malware is to:
  1. Backup only your data. (Do not backup any .exe’s, .com’s as they may have been compromised.)
  2. Erase/format the hard drive
  3. Do a clean install of the operating system from known safe media. (Do not use the recovery partition, as it may have been compromised too.)

Zero-Day Vulnerability

• A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those interested in mitigating the vulnerability (including the vendor of the target software), and anti-virus makers.

Password Managers

Tools

Microsoft Windows and Office ISO Download Tool

• This tool allows an easy way to download genuine Windows 10 disk images (ISO) directly from Microsoft’s servers, as well as Microsoft Office.
• In the past, Microsoft provided disk images for many of their products through their subcontractor “Digital River”. These downloads were pulled in early 2014. Afterwards, Microsoft made a limited selection of downloads available on their TechBench site. This tool accesses that TechBench site, and unlocks a large number of hidden download files on it.

Create a bootable USB Flash Drive from an ISO

• Rufus : Create a bootable USB from an ISO, and Windows to Go USB Flash Drive from an ISO
• XBoot : Create a bootable USB flash drive with multiple Live OS’s

Live Recovery OS and AntiVirus Media

• Troubleshoot/Test hardware or recover data
• Ubuntu, KNOPPIX, Kali Linux
• Lubuntu (for older, slower, or low resource PC’s)

BadUSB

• This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”
• BadUSB Exposure
• USB Rubber Ducky is a keystroke injection tool disguised as a generic flash drive. Computers recognize it as a regular keyboard and accept pre-programmed keystroke payloads at over 1000 words per minute.
• USBGuard software framework helps to protect your computer against rogue USB devices (a.k.a. BadUSB) by implementing basic whitelisting and blacklisting capabilities based on device attributes.

PortaPow Fast Charge + Data Block USB Adaptor

• Blocks data transfer – your device will not go into ‘data transfer’ mode if connected to a computer, so you can use a computer just like a mains charger. This also prevents data hacking and any risk of viruses being loaded onto your device when charging from an unknown/public USB socket.
• Puts your device into fast charge mode – allows you to charge at high speed (up to 2.4A) from a computer USB socket or other USB charger even if it was not originally designed for your device. Most Android and Apple products will charge at double the speed of normal computer USB charging.
• Available from Amazon.com

---

Backing Up: 3-2-1 Rule

• 3: Have three copies of your files. The original, plus 2 copies
• 2: On different storage mediums. e.g. separate hard drives, optical (CD/DVD), tape
• 1: Have a current backup that is offsite and/or a secure online service:
  • Mega (encrypted), Carbonite.com, Gmail Sync, Microsoft OneDrive, DropBox, Box.com
    
    • Note: Any files that may have sensitive information, should be encrypted locally, before they’re uploaded/synchronized to the cloud.

Optical Media for Long Term Archives

• Regular writable optical media, CDs & DVDs, etc., are not reliable for long term storage. The die used with optical media degrade with exposure to light, temperature extremes, etc. Because of this, the data on the media will start to degrade within 1 to 5 years.
• Methodology to protect your data. Backups vs. Archives. Long-term data protection (Apple.com)

M-DISC (Millennial Disc)

• M-DISC (Millennial Disc) is a write once optical disc technology available in DVD and Blu-ray forms.
• Millenniata claims that properly stored M-DISC DVD recordings will last 1,000 years, and are readable in conventional optical drives.
• M-Disc optical media reviewed: Your data, good for a thousand years (PCWorld.com)
• Drives with M-DISC support and M-DISC Media
  • LG Electronics 8X USB 2.0 GP65NG60
  • Samsung/TSST SE-506CB.RSBD
• Millenniata 4.7GB M-Disc, 10 Pack

Memorize these Bit Patterns of Often Used Subnet Mask Values

Bit(s)	Binary	Decimal
1	10000000	128
2	11000000	192
3	11100000	224
4	11110000	240
5	11111000	248
6	11111100	252
7	11111110	254
8	11111111	255

Troubleshooting Client Network Connectivity

Determine why a client workstation did not receive a valid IP address for your network, while other client workstations can.

• Step-by-step troubleshooting. Keep it simple.
• What configuration information does a DHCP client expect to received from the DHPC server?
• Example network: 10.10.5.0 /24
• Automatic Private IP Addressing (APIPA)

---

Send an e-mail to me

• Send me an e-mail, from the e-mail address you check regularly, that I will use to communicate with you for the rest of this semester. My e-mail address is on the last page of the syllabus distributed on the first day of class.
  • E-mail Subject: CST3607 Contact Info
  • In the Body of the e-mail: Include your first and last names and your mobile phone number.
  • Note: I will not share your phone number or e-mail address with anyone.
• Always sign e-mails to me with your full first and last names.

Read / Watch

CST3607 Class Outline / Syllabus

CCNA Certification Study Guide, Volume 2: Exam 200-301

• Read Chapter 1: Network Fundamentals
• Do the Written Labs
• Answer the Review Questions
  • Do not submit your answers for this chapter. The answers are in Appendix B

OSI Reference Model

• Study the: OSI Model Quick Reference (pdf)
• TCP/IP and the OSI Model Explained by Blanchae
• The OSI Model Demystified by Eli the Computer Guy
• Understanding the OSI Reference Model: Cisco Router Training 101 by SoundTraining.net

CCNA Certification Study Guide, Volume 2

• Take the “Assessment Test” on p. xl

About the Review Questions at the end of every chapter

• It is your responsibility to continually evaluate your knowledge and understanding of each chapter by completing the written labs, review questions, and hands-on labs, and then going back to study those areas you’re not confident with.
• Make sure you ask questions about the areas you’re having difficulty with during class.
• Do not submit your answers to the Review Questions for grading.
• The answers for the Review Questions are in Appendix B of the textbook.

Read / Do

• Take the “Assessment Test” on p. xl
  
• Read Chapter 1: Network Fundamentals
• Do the Written Labs
  
• Answer the Review Questions