Cybersecurity Fundamentals: Cryptography, Ethics, and Threat Mitigation

Posted on Nov 7, 2025 in Other university degrees and diplomas

Core Cybersecurity Concepts and Threats

ATM Jackpotting: Attack Vectors and Risks

ATM jackpotting shows how attackers control ATM hardware remotely to dispense cash. Key weaknesses exploited include:

  • Outdated Windows XP systems.
  • Unpatched operating systems (OS).
  • Insecure network configurations.

The risk is high due to significant criminal Return on Investment (ROI) and minimal detection rates.

Red Team vs. Blue Team Dynamics

Red Team thinking involves finding weaknesses (offense), while the Blue Team focuses on defense. Attackers often exploit low-hanging fruit, which refers to simple, obvious vulnerabilities that are easy to exploit with minimal effort. These are often the first targets during penetration testing or Red Team operations.

Social Engineering and Human Factors

Social engineering is the manipulation of people into giving up confidential information or performing actions that compromise security. Rather than exploiting software, it exploits human psychology—trust, fear, or urgency. Common examples include phishing, pretexting, and baiting.

Phishing: Fraudulent communication designed to steal credentials or data.

Prevention Mindset

Proactively identifying unusual behavior before an incident occurs is crucial for prevention.

Cryptography and Secure Communication

Digital Signatures and Envelopes

The main goal of digital signatures and envelopes is to provide authenticity, non-repudiation, and integrity of messages or transactions.

  • Digital Signature: Produced by encrypting a message’s hash with the sender’s private key. This allows recipients to verify that the message hasn’t changed and proves its origin.
  • Digital Envelope: Protects a message by encrypting it with a one-time symmetric key, which itself is encrypted with the recipient’s public key (a hybrid approach combining symmetric and asymmetric encryption).

Non-Repudiation Defined

Non-repudiation ensures the sender cannot deny authorship of a message or transaction.

Symmetric vs. Asymmetric Encryption

The fundamental difference lies in key usage:

  • Symmetric Encryption: The same key is used for both encryption and decryption (e.g., AES, DES). This method is fast but less scalable. Block ciphers encrypt fixed-size blocks; stream ciphers encrypt continuously as data flows in.
  • Asymmetric Encryption: Uses a public key for encryption and a private key for decryption (e.g., RSA, PGP). This is safer for key exchange.

Cipher Types: Substitution and Transposition

These are methods used in symmetric encryption:

  • Substitution Cipher: Creates confusion by replacing each element of plaintext with another symbol, letter, or number (e.g., Caesar cipher).
  • Transposition Cipher: Adds diffusion by rearranging the order of characters in the plaintext without changing them (e.g., rail fence cipher).

PGP (Pretty Good Privacy) Implementation

PGP combines symmetric and asymmetric encryption for secure messaging. Lab exercises reinforced message confidentiality, integrity, and non-repudiation through hands-on encryption tasks.

Key Takeaway: Encrypt with the recipient’s public key, and decrypt with your private key.

Hacking Ethics, Privacy, and Data

The Six Rules of Hacker Ethic

  1. Access should be unlimited and hands-on.
  2. All information should be free.
  3. Mistrust authority; promote decentralization.
  4. Judge hackers by skill, not credentials.
  5. Computers can create art and beauty.
  6. Computers can change lives for the better.

Ethical Hacking vs. Malicious Hacking

Hacking is the act of identifying and exploiting weaknesses in computer systems or networks to gain unauthorized access. The key difference between ethical and malicious hacking lies in intent and permission.

  • Ethical Hacking (White Hat): Performed with authorization to strengthen security. Adheres to rules of engagement and scope defined by management. The focus is learning and strengthening—not exploitation.
  • Malicious Hacking (Black Hat): Performed without authorization for personal gain or harm.

Example: A penetration tester may exploit a company’s misconfigured firewall to demonstrate vulnerabilities and recommend patches.

Responsible Vulnerability Disclosure

Responsible disclosure is an ethical practice where security researchers privately report vulnerabilities to vendors instead of exposing them publicly. This prevents malicious actors from exploiting the flaw while giving developers time to fix it.

Data Ethics and the Contra-Chrome Critique

The short satirical animation Contra-Chrome reimagines Google Chrome’s origin story, exposing how user data is harvested and monetized. The critique highlights that modern browsers track users’ browsing history, search terms, and behavior to build detailed user profiles for advertising.

Privacy is a design choice, not a default. Ethical companies prioritize user agency and transparency. This connects to models like DuckDuckGo. Remember the maxim: “If the service is free, you are the product.”

Trust as a Core Ethical Concern

Trust is essential in cybersecurity because users rely on organizations (e.g., Certificate Authorities, VPN providers) to protect their data. When that trust is broken, both privacy and integrity are compromised. Ethical cybersecurity practice demands accountability, transparency, and responsible data handling.

Open Source Philosophy: Cathedral vs. Bazaar

  • Cathedral: Represents a centralized, hierarchical development structure.
  • Bazaar: Represents open collaboration and decentralized innovation (e.g., Linux, Git, Mastodon, IRC).

Understanding AI and Data Compression

The LLM as a Lossy Encyclopedia

Programmer Simon Willison described a Large Language Model (LLM) as a ‘lossy encyclopedia.’ Like MP3 audio, an LLM compresses immense data but discards detail in the process.

  • Lossy Compression: Reduces data size by removing information (e.g., MP3). Results in approximate answers.
  • Lossless Compression: Allows perfect restoration of the original data (e.g., ZIP, FLAC).

Lesson: Be critical thinkers—don’t take AI outputs at face value. You can go from lossless to lossy, but not back.

Lecture Summary and Key Takeaways

The course covered offensive realism (Red Team, ATM Jackpotting), human weaknesses (Social Engineering, DEF CON talks), data ethics (AI Crawlers, Contra-Chrome), and secure communication fundamentals (Cryptography, PGP labs).

Students simulated Red Team–Blue Team cycles by testing vulnerabilities, documenting findings, and discussing mitigation steps.