COMS W4181: Computer Security I

The lectures and readings listed here are subject to change, including in response to current events (i.e., major news items).

Tuesday, September 08

Introduction and Administrivia

Readings:

Gregory Conti and James Caroland. Embracing the Kobayashi Maru: why you should teach your students to cheat. IEEE Security & Privacy, 9(4):48–51, July–August 2011. URL: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5968086.
Thomas Cook, Gregory Conti, and David Raymond. When good ninjas turn bad: preventing your students from becoming the threat. In Proc. 16th Colloquium for Information System Security Education, 61–67. Citeseer, 2012. URL: http://www.gregconti.com/publications/201206_GoodNinjas.pdf.
“Defining Security”, via Courseworks

Thursday, September 10

Cryptography: Introduction

Readings:

Smith and Marchesini, Chapter 7.
Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES–The Advanced Encryption Standard. Springer-Verlag, Berlin, Heidelberg, 2002, Chapters 2-3; optional; ebook available from the CU library.
D. Coppersmith. The data encryption standard (DES) and its strength against attacks. IBM Journal of Research and Development, 38(3):243–250, May 1994. doi:10.1147/rd.383.0243.
Whitfield Diffie and Martin E. Hellman. Exhaustive cryptanalysis of the NBS data encryption standard. Computer, 10(6):74–84, June 1977. URL: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.5270&rep=rep1&type=pdf.
Gilbert S. Vernam. Cipher printing telegraph systems for secret wire and radio telegraphic communications. Journal of the American Institute of Electrical Engineers, XLV:109–115, February 1926. URL: https://www.cs.columbia.edu/~smb/vernam.pdf.
Steven M. Bellovin. Probable plaintext cryptanalysis of the IP security protocols. In Proc. of the Symposium on Network and Distributed System Security, 155–160. 1997. URL: https://www.cs.columbia.edu/~smb/papers/probtxt.pdf, optional.
Electronic Frontier Foundation. Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design. O'Reilly and Associates, July 1998. URL: https://cryptome.org/jya/cracking-des/cracking-des.htm, optional.
Henry Allen. The spy game. Washington Post, September 3, 1981. URL: https://www.washingtonpost.com/archive/lifestyle/1981/09/03/the-spy-game/bf1edc39-df58-4e0e-b07d-7a802b780da0/, optional.
William J. Broad. Evading the Soviet ear at Glen Cove. Science, 217(4563):910–911, September 3, 1982. doi:10.1126/science.217.4563.910, optional.
Steven M. Bellovin. Frank Miller: inventor of the one-time pad. Technical Report CUCS-009-11, Department of Computer Science, Columbia University, March 2011. A revised version appeared in \emph Cryptologia 35(3), July 2011. URL: https://mice.cs.columbia.edu/getTechreport.php?techreportID=1460&format=pdf&, optional.
Steven M. Bellovin. Vernam, Mauborgne, and Friedman: the one-time pad and the index of coincidence. Technical Report CUCS-014-14, Department of Computer Science, Columbia University, May 2014. URL: https://mice.cs.columbia.edu/getTechreport.php?techreportID=1576&format=pdf&, optional.
Claude E. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28:656–715, October 1949. URL: http://www.academia.edu/download/32820096/shannon1949.pdf, optional.
Claude E. Shannon. A mathematical theory of communication. Bell System Technical Journal, 27(3,4):379–423,623–656, July, October 1948. URL: https://ieeexplore.ieee.org/abstract/document/6773024, optional.
Entropy for keying material
Code compilation
Twitter thread about apparent incorrect Russian use of one-time pads

Tuesday, September 15

Cryptography: Public Key; Hash Functions

Readings:

Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, November 1976. URL: https://ieeexplore.ieee.org/abstract/document/1055638.
Ronald L. Rivest, Adi Shamir, and Leonard Adleman. A method of obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978. URL: http://doi.acm.org/10.1145/359340.359342.
James Ellis. The possibility of secure non-secret digital encryption. GCHQ, December 16, 1969. URL: https://cryptocellar.org/cesg/possnse.pdf.
Clifford Cocks. A note on `non-secret' encryption'. GCHQ, November 20, 1973. URL: https://cryptocellar.org/cesg/notense.pdf.
Malcom J. Williamson. Non-secret encryption using a finite field. GCHQ, January 21, 1974. URL: https://cryptocellar.org/cesg/secenc.pdf.
Steven Levy. The open secret. Wired, April 1, 1999. URL: https://www.wired.com/1999/04/crypto/.
Final report on Project C-43. Bell Telephone Laboratories, October 12, 1944. URL: https://apps.dtic.mil/dtic/tr/fulltext/u2/a800206.pdf, optional.
Steven M. Bellovin. The prehistory of public key cryptography. URL: https://www.cs.columbia.edu/~smb/nsam-160/, optional.
Ars Staff. A (relatively easy to understand) primer on elliptic curve cryptography. Ars Technica, October 24, 2013. URL: https://arstechnica.com/information-technology/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/.
Dan Goodin. Crypto breakthrough shows Flame was designed by world-class scientists. Ars Technica, June 7, 2012. URL: http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/.
Ronald L. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April 1992. URL: http://www.rfc-editor.org/rfc/rfc1321.txt.
H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104, February 1997. URL: http://www.rfc-editor.org/rfc/rfc2104.txt.
Katia Moskvitch. Inside the high-stakes race to make quantum computers work. Wired, March 8, 2918. URL: https://www.wired.com/story/inside-the-high-stakes-race-to-make-quantum-computers-work/.
Ariel Bleicher. February 1,. Quanta Magazine, February 1, 2018. URL: https://www.quantamagazine.org/quantum-computers-struggle-against-classical-algorithms-20180201/.
The Story of Alice and Bob (optional)
Post-Quantum Cryptography

Thursday, September 17

Cryptography: Modes of Operation

Readings:

Steven M. Bellovin. Problem areas for the IP security protocols. In Proceedings of the Sixth Usenix Unix Security Symposium, 205–214. July 1996. URL: https://www.cs.columbia.edu/~smb/papers/badesp.pdf.
Steven M. Bellovin. Probable plaintext cryptanalysis of the IP security protocols. In Proc. of the Symposium on Network and Distributed System Security, 155–160. 1997. URL: https://www.cs.columbia.edu/~smb/papers/probtxt.pdf, optional.
Tom Tervoort. Unauthenticated domain controller compromise by subverting Netlogon cryptography. September 2020. URL: https://www.secura.com/pathtoimg.php?id=2055.
R. Baldwin and Ronald L. Rivest. The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms. RFC 2040, October 1996. URL: http://www.rfc-editor.org/rfc/rfc2040.txt.
Block Cipher Techniques, NIST

Tuesday, September 22

Cryptography: Protocols

Readings:

B. Bryant. Designing an authentication system: a dialogue in four scenes. February 8, 1988. Draft. URL: http://web.mit.edu/kerberos/dialogue.html.
R. M. Needham and M. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993–999, December 1978. URL: http://dl.acm.org/citation.cfm?id=359659.
Dorothy E. Denning and Giovanni M. Sacco. Timestamps in key distribution protocols. Communications of the ACM, 24(8):533–536, August 1981. URL: https://dl.acm.org/doi/10.1145/358722.358740.
R. M. Needham and M. Schroeder. Authentication revisited. Operating Systems Review, 21(1):7, January 1987. URL: https://dl.acm.org/doi/pdf/10.1145/24592.24593, optional.
M. Abadi and Roger Needham. Prudent engineering practice for cryptographic protocols. In Proc. IEEE Computer Society Symposium on Research in Security and Privacy, 122–136. Oakland, May 1994. URL: https://ieeexplore.ieee.org/document/296587.
Gavin Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 1055, 147–166. Springer-Verlag, Berlin Germany, 1996. URL: http://www.intercom.virginia.edu/~evans/crab/lowe96breaking.pdf, optional.
Jennifer Steiner, B. Clifford Neuman, and Jeffrey I. Schiller. Kerberos: an authentication service for open network systems. In Proc. Winter USENIX Conference, 191–202. Dallas, TX, 1988. URL: http://www.cse.nd.edu/~dthain/courses/cse598z/fall2004/papers/kerberos.pdf, optional.

Thursday, September 24

Using Cryptography

Readings:

Smith and Marchesini, Chapter 8.
D. Eastlake, 3rd, Jeffrey I. Schiller, and S. Crocker. Randomness Requirements for Security. RFC 4086, June 2005. URL: http://www.rfc-editor.org/rfc/rfc4086.txt.
K. Moriarty, B. Kaliski, and A. Rusch, editors. PKCS #5: Password-Based Cryptography Specification Version 2.1. RFC 8018, January 2017. URL: http://www.rfc-editor.org/rfc/rfc8018.txt.
Bruce Schneier. The strange story of Dual_EC_DRBG. Schneier on Security (blog), Nov. 15, 2007. URL: http://www.schneier.com/blog/archives/2007/11/the_strange_sto.html.
Kim Zetter. How a crypto `backdoor' pitted the tech world against the NSA. Wired: Threat Level, September 24, 2013. URL: http://www.wired.com/threatlevel/2013/09/nsa-backdoor/all/.
Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J AlexHalderman. Mining your Ps and Qs: detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Security Symposium. 2012. URL: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final228.pdf.
Dan Simmons. US lottery security boss charged with fixing draw. BBC News, April 14, 2015. URL: http://www.bbc.com/news/technology-32301117.
Elaine Barker, Lily Chen, and RIchard Davis. Recommendation for key-derivation methods in key-establishment schemes. Special Publication 800-56C Revision 2, NIST, August 2020. URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf, optional.
Paul C Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In Annual International Cryptology Conference, 104–113. Springer, 1996. URL: https://paulkocher.com/doc/TimingAttacks.pdf.
J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Lest we remember: cold boot attacks on encryption keys. In 2008 USENIX Security Symposium, volume 21. 2008. URL: https://www.usenix.org/legacy/events/sec08/tech/full_papers/halderman/halderman.pdf, optional.
Matthew Green. Why can't Apple decrypt your iPhone? A Few Thoughts on Cryptographic Engineering, October 4, 2014. URL: https://blog.cryptographyengineering.com/2014/10/04/why-cant-apple-decrypt-your-iphone/, optional.

Tuesday, September 29

Public Key Infrastructure

Readings:

Smith and Marchesini, Chatper 9-10.
Ross Anderson. Security Engineering. John Wiley & Sons, Inc., Indianapolis, IN, second edition, 2008. URL: http://www.cl.cam.ac.uk/~rja14/book.html, Section 21.4.5.7.
Dennis Fisher. Final report on DigiNotar hack shows total compromise of CA servers. Threatpost, October 31, 2012. URL: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/.
Dan Goodin. Crypto breakthrough shows Flame was designed by world-class scientists. Ars Technica, June 7, 2012. URL: https://arstechnica.com/information-technology/2012/06/flame-crypto-breakthrough/.
Brian Fonseca. VeriSign issues false Microsoft digital certificates. ITWorld, 2001. URL: https://www.itworld.com/article/2798454/verisign-issues-false-microsoft-digital-certificates.html.
Brian Fonseca. VeriSign issues false Microsoft digital certificates. ITWorld, 2001. URL: https://www.itworld.com/article/2798454/verisign-issues-false-microsoft-digital-certificates.html.
Zack Whittaker. Hackers are selling legitimate code-signing certificates to evade malware detection. ZDnet, February 22, 2018. URL: https://www.zdnet.com/article/hackers-are-selling-legitimate-code-signing-certificates-to-evade-malware-detection/.
Sean Gallagher. Patch Windows 10 and Server now because certificate validation is broken. Ars Technica, January 14, 2020. URL: https://arstechnica.com/information-technology/2020/01/patch-windows-10-and-server-now-because-certificate-validation-is-broken/.
Loren M. Kohnfelder. Toward a practical public-key cryptosystem. Master's thesis, Department of Electrical Engineering, Massachusetts Institute of Technology, May 1978, optional.
CERTBOT Documentation, optional

Thursday, October 01

Authentication

Readings:

Robert H. Morris and Ken Thompson. Unix password security. Communications of the ACM, 22(11):594, November 1979. URL: http://dl.acm.org/citation.cfm?id=359172.
Steven M. Bellovin. Password compromises. Tech@FTC blog, September 19, 2012. URL: https://www.ftc.gov/news-events/blogs/techftc/2012/09/password-compromises.
Steven M. Bellovin. Storing passwords, or the risk of a no-salt diet. Tech@FTC blog, March 21, 2013. URL: https://www.ftc.gov/news-events/blogs/techftc/2013/03/storing-passwords-or-risk-no-salt-diet.
Lorrie Cranor. Time to rethink mandatory password changes. Tech@FTC blog, March 2, 2016. URL: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes.
Dinei Florêncio, Cormac Herley, and Baris Coskun. Do strong web passwords accomplish anything? In Proceedings of HOTSEC '07. 2007. URL: http://www.usenix.org/events/hotsec07/tech/full_papers/florencio/florencio.pdf.
Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, 176–186. New York, NY, USA, 2010. ACM. URL: http://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf, doi:http://doi.acm.org/10.1145/1866307.1866328.
Andy Greenberg. So hey you should stop using texts for two-factor authentication. Wired, June 26, 2016. URL: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/.
Brian Krebs. The limits of SMS for 2-factor authentication. Krebs on Security, September 16, 2016. URL: https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentication/.
Daniel Terdiman. Google security exec: 'passwords are dead'. CNET, September 10, 2013. URL: https://www.cnet.com/news/google-security-exec-passwords-are-dead/.
Alex Hern. Hacker fakes German minister's fingerprints using photos of her hands. The Guardian, December 30, 2014. URL: https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands.
Dr. Fun
User Friendly

Friday, October 02

Homework due:

Homework 1 (Encrypted File Store)

Tuesday, October 06

Transport Layer Security

Final Project

TLS: Transport Layer Security

Readings:

Smith and Marchesini, Sections 12.2.2-12.2.3.
What is TLS/SSL. October 10, 2009. URL: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784450(v=ws.10).
How TLS/SSL works. January 8, 2015. URL: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783349(v=ws.10).
Taher Elgamal, Jeff Treuhaft, and Frank Chen. Securing communications on the intranet and over the Internet. Netscape Communications Corporation, July 1996. URL: http://users.salleurl.edu/~marcg/Documentacio/general/Internet_Security.ps.
Cloudflare. What happens in a TLS handshake? 2020. URL: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/.
Eric K. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. URL: http://www.rfc-editor.org/rfc/rfc8446.txt, Very optional.

Thursday, October 08

Web Security 1

Readings:

Marty Kalin. Getting started with OpenSSL: cryptography basics. June 19, 2019. URL: https://opensource.com/article/19/6/cryptography-basics-openssl-part-1.
Sean Gallagher. Turkish government agency spoofed Google certificate “accidentally”. Ars Technica, January 04, 2013. URL: https://arstechnica.com/information-technology/2013/01/turkish-government-agency-spoofed-google-certificate-accidentally/.
Randall Munroe. Exploits of a mom. October 10, 2007. URL: https://xkcd.com/327/.
What is certificate transparency? URL: https://www.certificate-transparency.org/what-is-ct, optional.

Tuesday, October 13

Web Security 2: Client-Server

Readings:

A. Barth. HTTP State Management Mechanism. RFC 6265, April 2011. URL: http://www.rfc-editor.org/rfc/rfc6265.txt.
Alex Hern. Major sites including New York Times and BBC hit by `ransomware' malvertising. Guardian, March 16, 2016. URL: https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising.
Michael Mimoso. iOS developer site at core of Facebook, Apple watering hole attack. Threatpost, February 20, 2013. URL: https://threatpost.com/ios-developer-site-core-facebook-apple-watering-hole-attack-022013/77546/.
Asha Barbaschow. Yahoo says 32m user accounts were accessed via cookie forging attack. ZDnet, March 2, 2017. URL: https://www.zdnet.com/article/yahoo-says-32m-user-accounts-accessed-via-cookie-forging-attack/.
Scott White. Theft from online shopping carts—past and present. TrustedSec, June 4, 2020. URL: https://www.trustedsec.com/blog/theft-from-online-shopping-carts-past-and-present/.
Chris Foresman. iPad 3G user e-mail addresses leaked by AT&T servers. Ars Technica, June 10, 2010. URL: https://arstechnica.com/gadgets/2010/06/ipad-3g-user-e-mail-addresses-leaked-by-att-servers/.
Kim Zetter. Palin e-mail hacker says it was easy. Wired, September 18, 2008. URL: https://www.wired.com/2008/09/palin-e-mail-ha/.
Natasha Singer. Your online attention, bought in an instant by advertisers. New York Times, November 17, 2012. URL: https://www.nytimes.com/2012/11/18/technology/your-online-attention-bought-in-an-instant-by-advertisers.html, optional.
Peter Eckersley. How unique is your web browser? In International Symposium on Privacy Enhancing Technologies Symposium (PETS), 1–18. Springer, 2010. URL: https://www.freehaven.net/anonbib/cache/pets2010:eckersley2010unique.pdf, optional.

Thursday, October 15

Memory Safety

Readings:

SophosLabs Offensive Security. Top reason to apply October, 2020's Microsoft patches: Ping of Death redux. Sophos News, 2020. URL: https://news.sophos.com/en-us/2020/10/13/top-reason-to-apply-october-2020s-microsoft-patches-ping-of-death-redux/.
Ms. Smith. Report: over 80% mobile apps have crypto flaws, 4 of 5 web apps fail OWASP security. NetworkWorld, December 6, 2015. URL: http://www.networkworld.com/article/3012272/security/report-over-80-mobile-apps-have-crypto-flaws-4-of-5-web-apps-fail-owasp-security.html.
C.A.R. Hoare. The emperor's old clothes. Communications of the ACM, 24(2):75–83, February 1981. URL: http://dl.acm.org/citation.cfm?id=358549.358561.
Brian Chess and Gary McGraw. Static analysis for security. IEEE Security & Privacy, 2(6):76–79, 2004. URL: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.441.5528&rep=rep1&type=pdf.
Mudge. How to write buffer overflows. October 20, 1995. Note: At the time there was a vulnerability in vsnprintf, Essentially turning it into vsprintf(). I use that as an example. That was the exploit for sendmail 8.6.12(??); however, the vsnprintf bug has been long since fixed. URL: https://insecure.org/stf/mudge_buffer_overflow_tutorial.html.
Aleph One. Smashing the stack for fun and profit. Phrack, November 1996. URL: http://www.phrack.org/issues/49/14.html#article.
Mark Yason. Use-after-frees: that pointer may be pointing to something bad. Security Intelligence, April 1, 2013. URL: https://securityintelligence.com/use-after-frees-that-pointer-may-be-pointing-to-something-bad/.
Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. Preventing use-after-free with dangling pointers nullification. In NDSS. 2015. URL: https://wenke.gtisc.gatech.edu/papers/dangnull.pdf.
Erik Buchanan, Ryan Roemer, Stefan Savage, and Hovav Shacham. Return-oriented programming: exploitation without code injection. Black Hat, 2008. URL: https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf.
Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. Return-oriented programming: systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC), 15(1):1–34, 2012. URL: https://hovav.net/ucsd/dist/rop.pdf, skim.

Monday, October 19

Homework due:

Homework 2 (OpenSSL Familiarization)
SSH_Directions.pdf

Tuesday, October 20

Access Control

Readings:

Smith and Marchesini, Chapter 2.
The man page for Linux access control lists

Thursday, October 22

Election Security

Guest lecturer: Matt Blaze, Georgetown University Computer Science and Law

Readings:

Matt Blaze. Election integrity and technology: vulnerabilities and soluions. Georgetown Law Technology Review, 4:505, 2020. URL: https://georgetownlawtechreview.org/wp-content/uploads/2020/07/4.2-p505-522-Blaze.pdf.
National Academies of Sciences, Engineering and Medicine. Securing the Vote: Protecting American Democracy. The National Academies Press, Washington, DC, 2018. ISBN 978-0-309-47647-8. URL: https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy, doi:10.17226/25120, executive summary.
Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, and Dan S. Wallach. Analysis of an electronic voting system. In IEEE Symposium on Security and Privacy. May 2004. URL: http://avirubin.com/vote.pdf.
Celeste Katz. Hack-vulnerable voting machines a `national security threat', experts warn. Newsweek, October 10, 2017. URL: http://www.newsweek.com/hacking-defcon-voting-machines-technology-software-eac-russia-meddling-681759.
Avi Rubin. My day at the polls. Avi Rubin's Blog, November 4, 2008. URL: https://avi-rubin.blogspot.com/2008/11/my-day-at-polls.html.
Nicole Perlroth. In election interference, it's what reporters didn't find that matters. New York Times, Sept. 1, 2017. URL: https://www.nytimes.com/2017/09/01/insider/in-election-interference-its-what-reporters-didnt-find-that-matters.html.
Michael Wines Nicole Perlroth and Matthew Rosenberg. Russian election hacking efforts, wider than previously known, draw little scrutiny. New York Times, Sept. 1, 2017. URL: https://www.nytimes.com/2017/09/01/us/politics/russia-election-hacking.html.
Matthew Rosenberg David E. Sanger, Nicole Perlroth, and Matthew Rosenberg. Amid pandemic and upheaval, new cyberthreats to the presidential election. New York Times, June 7, 2020. URL: https://www.nytimes.com/2020/06/07/us/politics/remote-voting-hacking-coronavirus.html.
Cynthia McFadden, William M. Arkin, Kevin Monahan, and Ken Dilanian. U.S. intel: Russia compromised seven states prior to 2016 election. NBC News, February 27, 2018. URL: https://www.nbcnews.com/politics/elections/u-s-intel-russia-compromised-seven-states-prior-2016-election-n850296.
Mark Lindeman and Philip B Stark. A gentle introduction to risk-limiting audits. IEEE Security & Privacy, 10(5):42–49, 2012. URL: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.229.883&rep=rep1&type=pdf.
Ann Marie Awad. Colorado launches first in the nation post-election audits. NPR, November 22, 2017. URL: https://www.npr.org/2017/11/22/566039611/colorado-launches-first-in-the-nation-post-election-audits.
Steven M. Bellovin. Mail-in ballots are secure, confidential, and trustworthy. Columbia News, October 23, 2020. URL: https://news.columbia.edu/in-mail-absentee-ballots-secure-vote-election.

Tuesday, October 27

Complex Access Control

Readings:

Smith and Marchesini, Chapter 3.
M. D. McIlroy and J. A. Reeds. Multilevel security in the Unix tradition. Software—Practice and Experience, 22(8):673–694, 1992. URL: http://onlinelibrary.wiley.com/doi/10.1002/spe.4380220805/abstract, optional.
Marking Classified National Security Information (optional)
Report on the U.S. Intelligence Community's Prewar Intelligence Assessments on Iraq (the document from which the sample marked page was taken; very optional)

Thursday, October 29

Homework due:

Homework 3 (Email System)
Version replaced 10/20
Version replaced 10/26

Privileged Programs

Thursday, November 05

Secure Programming; Sandboxing

Readings:

Chenxi Wang. Containers 101: Linux containers and Docker explained. InfoWorld, May 26, 2016. URL: http://www.infoworld.com/article/3072929/linux/containers-101-linux-containers-and-docker-explained.html.
Lee Badger, Daniel F Sterne, David L Sherman, Kenneth M Walker, and Sheila A Haghighat. A domain and type enforcement unix prototype. Computing Systems, 9(1):47–83, 1996. URL: http://static.usenix.org/publications/library/proceedings/security95/full_papers/badger.pdf.
Ian Goldberg, David A. Wagner, Randi Thomas, and Eric A. Brewer. A secure environment for untrusted helper applications. In Proceedings of the Sixth USENIX Security Symposium. San Jose, CA, USA, 1996. URL: http://HTTP.CS.Berkeley.EDU/~daw/janus/.
The somewhat surprising history of chroot()
Docker Security

Tuesday, November 10

Sandboxing and Isolation 2

Readings:

AppContainers for Windows 8: what are they and how can you create them? Apriorit, October 8, 2019. URL: https://medium.com/that-feeling-when-it-is-compiler-fault/appcontainers-for-windows-8-what-are-they-and-how-can-you-create-them-e5970a28eea4.

Thursday, November 12

TCP/IP Issues

Readings:

J. H. Saltzer, D. P. Reed, and D. D. Clark. End-to-end arguments in system design. ACM Trans. Comput. Syst., 2(4):277–288, 1984. doi:http://doi.acm.org/10.1145/357401.357402.
T.J. Socolofsky and C.J. Kale. TCP/IP tutorial. RFC 1180, January 1991. URL: http://www.rfc-editor.org/rfc/rfc1180.txt.
Steven M. Bellovin. A look back at “Security problems in the TCP/IP protocol suite”. In Annual Computer Security Applications Conference. December 2004. Invited paper. URL: https://www.cs.columbia.edu/~smb/papers/acsac-ipext.pdf.
BBC. Russia highway robbery: official `stole 50km road'. BBC News, January 14, 2016. URL: https://www.bbc.com/news/world-europe-35312492.
J. Postel. Internet Protocol. RFC 791, September 1981. URL: http://www.rfc-editor.org/rfc/rfc791.txt, optional.
J. Postel. Transmission Control Protocol. RFC 793, September 1981. URL: http://www.rfc-editor.org/rfc/rfc793.txt, optional.
D. Plummer. An Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. RFC 826, November 1982. URL: http://www.rfc-editor.org/rfc/rfc826.txt, optional.
J. Postel. User Datagram Protocol. RFC 768, August 1980. URL: http://www.rfc-editor.org/rfc/rfc768.txt, optional.
Steven M. Bellovin. The Security Flag in the IPv4 Header. RFC 3514, April 01, 2003. URL: http://www.rfc-editor.org/rfc/rfc3514.txt, optional.
D. Waitzman. Standard for the transmission of IP datagrams on avian carriers. RFC 1149, April 01, 1990. URL: http://www.rfc-editor.org/rfc/rfc1149.txt, optional.
D. Waitzman. IP over Avian Carriers with Quality of Service. RFC 2549, April 01, 1999. URL: http://www.rfc-editor.org/rfc/rfc2549.txt, optional.

Tuesday, November 17

Homework due:

Homework 4 (Permissions and Privileges)
Shell script (run via 'sudo') to add users
Version replaced 11/12

Domain Name System

Readings:

Steven M. Bellovin. Using the domain name system for system break-ins. In Proceedings of the Fifth Usenix Unix Security Symposium, 199–208. Salt Lake City, UT, June 1995. URL: https://www.cs.columbia.edu/~smb/papers/dnshack.pdf.
Dan Goodin. DNS cache poisoning, the Internet attack from 2008, is back from the dead. Ars Technica, November 12, 2020. URL: https://arstechnica.com/information-technology/2020/11/researchers-find-way-to-revive-kaminskys-2008-dns-cache-poisoning-attack/.
Cloudflare. How DNSSEC works. 2020. URL: https://www.cloudflare.com/dns/dnssec/how-dnssec-works/.
P.V. Mockapetris. Domain names—concepts and facilities. RFC 1034, November 1987. URL: http://www.rfc-editor.org/rfc/rfc1034.txt, optional.
R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. RFC 4033, March 2005. URL: http://www.rfc-editor.org/rfc/rfc4033.txt, very optional.
Steven M. Bellovin, Real Attacks and Threat Models, IETF 67, San Diego, CA, November 2006.

Thursday, November 19

Routing and BGP

Readings:

Lily May Newman. A broken piece of Internet backbone might finally get fixed. Wired, December 2, 2020. URL: https://www.wired.com/story/bgp-routing-manrs-google-fix/.
BGP.us. Bgp case studies. 2016. URL: https://www.bgp.us/case-studies/.
Dan Goodin. Hacking Team orchestrated brazen BGP hack to hijack IPs it didn't own. Ars Technica, 2015. URL: http://arstechnica.com/security/2015/07/hacking-team-orchestrated-brazen-bgp-hack-to-hijack-ips-it-didnt-own/.
Pierre-Antoine Vervier, Olivier Thonnard, and Marc Dacier. Mind your blocks: on the stealthiness of malicious BGP hijacks. In Proceedings of NDSS '15. 2015. URL: http://www.internetsociety.org/doc/mind-your-blocks-stealthiness-malicious-bgp-hijacks.
Craig Timberg. The long life of a quick `fix”. Washington Post, May 31, 2015. URL: https://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/.
Fred Baker. Internet routing with MANRS. 2018. URL: https://www.manrs.org/wp-content/uploads/2018/11/Internet-Routing-with-MANRS.pdf.
Anirudh Ramachandran and Nick Feamster. Understanding the network-level behavior of spammers. ACM SIGCOMM Computer Communication Review, 36(4):291–302, 2006.
S. Murphy, M. Badger, and B. Wellington. OSPF with Digital Signatures. RFC 2154, June 1997. URL: http://www.rfc-editor.org/rfc/rfc2154.txt, optional.
M. Lepinski and Stephen T. Kent. An Infrastructure to Support Secure Internet Routing. RFC 6480, February 2012. URL: http://www.rfc-editor.org/rfc/rfc6480.txt, optional.
Stephen T. Kent and A. Chi. Threat Model for BGP Path Security. RFC 7132, February 2014. URL: http://www.rfc-editor.org/rfc/rfc7132.txt, optional.

Tuesday, November 24

Homework due:

Intermediate Project (Intermediate Project)

Firewalls

Readings:

William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA, 1st edition, 1994. ISBN 0201633574. URL: http://www.wilyhacker.com/1e/, Chapter 1.
William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA, 1st edition, 1994. ISBN 0201633574. URL: http://www.wilyhacker.com/1e/, The rest of the book is optional.

Tuesday, December 01

Virtual Private Networks

Readings:

W. Simpson. IP in IP Tunneling. RFC 1853, October 1995. URL: http://www.rfc-editor.org/rfc/rfc1853.txt.
G. Dommety. Key and Sequence Number Extensions to GRE. RFC 2890, September 2000. URL: http://www.rfc-editor.org/rfc/rfc2890.txt.
Stephen T. Kent and K. Seo. Security Architecture for the Internet Protocol. RFC 4301, December 2005. URL: http://www.rfc-editor.org/rfc/rfc4301.txt, skim.

Thursday, December 03

Denial of Service Attacks

Readings:

John Leyden. The 30-year-old prank that became the first computer virus. The Register, 2012. URL: https://www.theregister.com/2012/12/14/first_virus_elk_cloner_creator_interviewed/.
Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to own the Internet in your spare time. In Proceedings of the 11th USENIX Security Symposium. San Francisco, CA, USA, 2002. URL: https://www.icir.org/vern/papers/cdc-usenix-sec02/.
F-Secure. Virus: dos/cih. 2002. URL: https://www.f-secure.com/v-descs/cih.shtml.
Timothy B. Lee. How a grad student trying to build the first botnet brought the Internet to its knees. Washington Post, November 1, 2013. URL: https://www.washingtonpost.com/news/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/?arc404=true.
Josh Fruhlinger. Ransomware explained: how it works and how to remove it. CSO, June 19, 2020. URL: https://www.csoonline.com/article/3236183/what-is-ransomware-how-it-works-and-how-to-remove-it.html.
Aaron Mak. How scammers steal your computing power to mine cryptocurrencies. Slate, February 1, 2015. URL: https://slate.com/technology/2018/02/what-is-cryptojacking-the-bitcoin-and-monero-mining-process-that-steals-your-computing-power-explained.html.
Aaron Mak. Salon is asking readers to mine cryptocurrency if they don't want to see ads. Slate, February 13, 2018. URL: https://slate.com/technology/2018/02/salon-is-offering-readers-to-suppress-ads-in-exchange-for-cryptocurrency-mining-power.html.
Marty Niland. Virus disrupts train signals. CBS News, August 21, 2003. URL: https://www.cbsnews.com/news/virus-disrupts-train-signals/.
Robert Stone. Centertrack: an ip overlay network for tracking dos floods. In 9th Usenix Security Symposium. 2000. URL: http://www.usenix.org/publications/library/proceedings/sec2000/full_papers/stone/stone.ps.
Computer Emergency Response Team. Distributed denial of service tools. Incident Note IN-99-07, CERT, January 15, 2001. URL: https://web.archive.org/web/20100626210554/http://www.cert.org/incident_notes/IN-99-07.html.
Geoffrey Cheng. Malware FAQ: analysis on DDOS tool Stacheldraht v1.666. 2000. URL: https://www.sans.org/security-resources/malwarefaq/stacheldraht.
U.S. Department of Justice. Seven iranians working for islamic revolutionary guard corps-affiliated entities charged for conducting coordinated campaign of cyber attacks against u.s. financial sector. March 24, 2016. URL: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged.
Michael Kan. Google says biggest ddos attack on record hit the company in 2017. PC Magazine, October 16, 2020. URL: https://www.pcmag.com/news/google-says-biggest-ddos-attack-on-record-hit-the-company-in-2017.
Dan Goodin. How Google fought back against a crippling iot-powered botnet and won. Ars Technica, February 02, 2017. URL: https://arstechnica.com/information-technology/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won/.

Tuesday, December 08

Homework due:

Homework 5 (Attacking Mail Systems)

Computer Security and Ethics

Readings:

Nicole Radziwill, Jessica Romano, Diane Shorter, and Morgan C. Benton. The ethics of hacking: should it be taught? CoRR, 2015. URL: http://arxiv.org/abs/1512.02707, arXiv:1512.02707.
Gregory Conti and James Caroland. Embracing the Kobayashi Maru: why you should teach your students to cheat. IEEE Security & Privacy, 9(4):48–51, July–August 2011. URL: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5968086.
C. T. Holzer and J. E. Lerums. The ethics of hacking back. In 2016 IEEE Symposium on Technologies for Homeland Security (HST), 1–6. 2016. URL: https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2016-01.pdf.
Dan Goodin. Vigilante botnet infects IoT devices before blackhats can hijack them. Ars Technica, April 19, 2017. URL: https://arstechnica.com/information-technology/2017/04/vigilante-botnet-infects-iot-devices-before-blackhats-can-hijack-them/.
Peter Bright. DoJ, FBI set up command-and-control servers, take down botnet. Ars Technica, April 14, 2011. URL: https://arstechnica.com/information-technology/2011/04/doj-fbi-set-up-command-and-control-servers-take-down-botnet/.
Catalin Cimpanu. Avast and french police take over malware botnet and disinfect 850,000 computers. ZDnet, August 28, 2019. URL: https://www.zdnet.com/article/avast-and-french-police-take-over-malware-botnet-and-disinfect-850000-computers/.
A. M. Matwyshyn, A. Cui, A. D. Keromytis, and S. J. Stolfo. Ethics in security vulnerability research. IEEE Security Privacy, 8(2):67–72, 2010. URL: https://academiccommons.columbia.edu/doi/10.7916/D8JQ19F5/download.
Sean Gallagher. Maryland bill would outlaw ransomware, keep researchers from reporting bugs. Ars Technica, January 27, 2020. URL: https://arstechnica.com/information-technology/2020/01/good-news-maryland-bill-would-make-ransomware-a-crime/.
Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro. The computer worm. February 6, 1989. URL: http://simson.net/ref/1989/Cornell_Worm_Report_1989.pdf.
Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jennifer Rexford. As simple as possible—but not more so. Communications of the ACM, 2011. Note: this is a shorter version of “Can it really work?”. URL: https://www.cs.columbia.edu/~smb/papers/simple-as-possible.pdf.