The lectures and readings listed here are subject to change, including in response to current events (i.e., major news items).
Tuesday, September 08
Readings:
- Gregory Conti and James Caroland. Embracing the Kobayashi Maru: why you should teach your students to cheat. IEEE Security & Privacy, 9(4):48–51, July–August 2011. URL: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5968086.
- Thomas Cook, Gregory Conti, and David Raymond. When good ninjas turn bad: preventing your students from becoming the threat. In Proc. 16th Colloquium for Information System Security Education, 61–67. Citeseer, 2012. URL: http://www.gregconti.com/publications/201206_GoodNinjas.pdf.
- “Defining Security”, via Courseworks
Thursday, September 10
Readings:
- Smith and Marchesini, Chapter 7.
- Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES–The Advanced Encryption Standard. Springer-Verlag, Berlin, Heidelberg, 2002, Chapters 2-3; optional; ebook available from the CU library.
- D. Coppersmith. The data encryption standard (DES) and its strength against attacks. IBM Journal of Research and Development, 38(3):243–250, May 1994. doi:10.1147/rd.383.0243.
- Whitfield Diffie and Martin E. Hellman. Exhaustive cryptanalysis of the NBS data encryption standard. Computer, 10(6):74–84, June 1977. URL: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.129.5270&rep=rep1&type=pdf.
- Gilbert S. Vernam. Cipher printing telegraph systems for secret wire and radio telegraphic communications. Journal of the American Institute of Electrical Engineers, XLV:109–115, February 1926. URL: https://www.cs.columbia.edu/~smb/vernam.pdf.
- Steven M. Bellovin. Probable plaintext cryptanalysis of the IP security protocols. In Proc. of the Symposium on Network and Distributed System Security, 155–160. 1997. URL: https://www.cs.columbia.edu/~smb/papers/probtxt.pdf, optional.
- Electronic Frontier Foundation. Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design. O'Reilly and Associates, July 1998. URL: https://cryptome.org/jya/cracking-des/cracking-des.htm, optional.
- Henry Allen. The spy game. Washington Post, September 3, 1981. URL: https://www.washingtonpost.com/archive/lifestyle/1981/09/03/the-spy-game/bf1edc39-df58-4e0e-b07d-7a802b780da0/, optional.
- William J. Broad. Evading the Soviet ear at Glen Cove. Science, 217(4563):910–911, September 3, 1982. doi:10.1126/science.217.4563.910, optional.
- Steven M. Bellovin. Frank Miller: inventor of the one-time pad. Technical Report CUCS-009-11, Department of Computer Science, Columbia University, March 2011. A revised version appeared in \emph Cryptologia 35(3), July 2011. URL: https://mice.cs.columbia.edu/getTechreport.php?techreportID=1460&format=pdf&, optional.
- Steven M. Bellovin. Vernam, Mauborgne, and Friedman: the one-time pad and the index of coincidence. Technical Report CUCS-014-14, Department of Computer Science, Columbia University, May 2014. URL: https://mice.cs.columbia.edu/getTechreport.php?techreportID=1576&format=pdf&, optional.
- Claude E. Shannon. Communication theory of secrecy systems. Bell Systems Technical Journal, 28:656–715, October 1949. URL: http://www.academia.edu/download/32820096/shannon1949.pdf, optional.
- Claude E. Shannon. A mathematical theory of communication. Bell System Technical Journal, 27(3,4):379–423,623–656, July, October 1948. URL: https://ieeexplore.ieee.org/abstract/document/6773024, optional.
- Entropy for keying material
- Code compilation
- Twitter thread about apparent incorrect Russian use of one-time pads
Tuesday, September 15
Readings:
- Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644–654, November 1976. URL: https://ieeexplore.ieee.org/abstract/document/1055638.
- Ronald L. Rivest, Adi Shamir, and Leonard Adleman. A method of obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978. URL: http://doi.acm.org/10.1145/359340.359342.
- James Ellis. The possibility of secure non-secret digital encryption. GCHQ, December 16, 1969. URL: https://cryptocellar.org/cesg/possnse.pdf.
- Clifford Cocks. A note on `non-secret' encryption'. GCHQ, November 20, 1973. URL: https://cryptocellar.org/cesg/notense.pdf.
- Malcom J. Williamson. Non-secret encryption using a finite field. GCHQ, January 21, 1974. URL: https://cryptocellar.org/cesg/secenc.pdf.
- Steven Levy. The open secret. Wired, April 1, 1999. URL: https://www.wired.com/1999/04/crypto/.
- Final report on Project C-43. Bell Telephone Laboratories, October 12, 1944. URL: https://apps.dtic.mil/dtic/tr/fulltext/u2/a800206.pdf, optional.
- Steven M. Bellovin. The prehistory of public key cryptography. URL: https://www.cs.columbia.edu/~smb/nsam-160/, optional.
- Ars Staff. A (relatively easy to understand) primer on elliptic curve cryptography. Ars Technica, October 24, 2013. URL: https://arstechnica.com/information-technology/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/.
- Dan Goodin. Crypto breakthrough shows Flame was designed by world-class scientists. Ars Technica, June 7, 2012. URL: http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/.
- Ronald L. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April 1992. URL: http://www.rfc-editor.org/rfc/rfc1321.txt.
- H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104, February 1997. URL: http://www.rfc-editor.org/rfc/rfc2104.txt.
- Katia Moskvitch. Inside the high-stakes race to make quantum computers work. Wired, March 8, 2918. URL: https://www.wired.com/story/inside-the-high-stakes-race-to-make-quantum-computers-work/.
- Ariel Bleicher. February 1,. Quanta Magazine, February 1, 2018. URL: https://www.quantamagazine.org/quantum-computers-struggle-against-classical-algorithms-20180201/.
- The Story of Alice and Bob (optional)
- Post-Quantum Cryptography
Thursday, September 17
Readings:
- Steven M. Bellovin. Problem areas for the IP security protocols. In Proceedings of the Sixth Usenix Unix Security Symposium, 205–214. July 1996. URL: https://www.cs.columbia.edu/~smb/papers/badesp.pdf.
- Steven M. Bellovin. Probable plaintext cryptanalysis of the IP security protocols. In Proc. of the Symposium on Network and Distributed System Security, 155–160. 1997. URL: https://www.cs.columbia.edu/~smb/papers/probtxt.pdf, optional.
- Tom Tervoort. Unauthenticated domain controller compromise by subverting Netlogon cryptography. September 2020. URL: https://www.secura.com/pathtoimg.php?id=2055.
- R. Baldwin and Ronald L. Rivest. The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms. RFC 2040, October 1996. URL: http://www.rfc-editor.org/rfc/rfc2040.txt.
- Block Cipher Techniques, NIST
Tuesday, September 22
Readings:
- B. Bryant. Designing an authentication system: a dialogue in four scenes. February 8, 1988. Draft. URL: http://web.mit.edu/kerberos/dialogue.html.
- R. M. Needham and M. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993–999, December 1978. URL: http://dl.acm.org/citation.cfm?id=359659.
- Dorothy E. Denning and Giovanni M. Sacco. Timestamps in key distribution protocols. Communications of the ACM, 24(8):533–536, August 1981. URL: https://dl.acm.org/doi/10.1145/358722.358740.
- R. M. Needham and M. Schroeder. Authentication revisited. Operating Systems Review, 21(1):7, January 1987. URL: https://dl.acm.org/doi/pdf/10.1145/24592.24593, optional.
- M. Abadi and Roger Needham. Prudent engineering practice for cryptographic protocols. In Proc. IEEE Computer Society Symposium on Research in Security and Privacy, 122–136. Oakland, May 1994. URL: https://ieeexplore.ieee.org/document/296587.
- Gavin Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 1055, 147–166. Springer-Verlag, Berlin Germany, 1996. URL: http://www.intercom.virginia.edu/~evans/crab/lowe96breaking.pdf, optional.
- Jennifer Steiner, B. Clifford Neuman, and Jeffrey I. Schiller. Kerberos: an authentication service for open network systems. In Proc. Winter USENIX Conference, 191–202. Dallas, TX, 1988. URL: http://www.cse.nd.edu/~dthain/courses/cse598z/fall2004/papers/kerberos.pdf, optional.
Thursday, September 24
Readings:
- Smith and Marchesini, Chapter 8.
- D. Eastlake, 3rd, Jeffrey I. Schiller, and S. Crocker. Randomness Requirements for Security. RFC 4086, June 2005. URL: http://www.rfc-editor.org/rfc/rfc4086.txt.
- K. Moriarty, B. Kaliski, and A. Rusch, editors. PKCS #5: Password-Based Cryptography Specification Version 2.1. RFC 8018, January 2017. URL: http://www.rfc-editor.org/rfc/rfc8018.txt.
- Bruce Schneier. The strange story of Dual_EC_DRBG. Schneier on Security (blog), Nov. 15, 2007. URL: http://www.schneier.com/blog/archives/2007/11/the_strange_sto.html.
- Kim Zetter. How a crypto `backdoor' pitted the tech world against the NSA. Wired: Threat Level, September 24, 2013. URL: http://www.wired.com/threatlevel/2013/09/nsa-backdoor/all/.
- Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J AlexHalderman. Mining your Ps and Qs: detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Security Symposium. 2012. URL: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final228.pdf.
- Dan Simmons. US lottery security boss charged with fixing draw. BBC News, April 14, 2015. URL: http://www.bbc.com/news/technology-32301117.
- Elaine Barker, Lily Chen, and RIchard Davis. Recommendation for key-derivation methods in key-establishment schemes. Special Publication 800-56C Revision 2, NIST, August 2020. URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf, optional.
- Paul C Kocher. Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In Annual International Cryptology Conference, 104–113. Springer, 1996. URL: https://paulkocher.com/doc/TimingAttacks.pdf.
- J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Lest we remember: cold boot attacks on encryption keys. In 2008 USENIX Security Symposium, volume 21. 2008. URL: https://www.usenix.org/legacy/events/sec08/tech/full_papers/halderman/halderman.pdf, optional.
- Matthew Green. Why can't Apple decrypt your iPhone? A Few Thoughts on Cryptographic Engineering, October 4, 2014. URL: https://blog.cryptographyengineering.com/2014/10/04/why-cant-apple-decrypt-your-iphone/, optional.
Tuesday, September 29
Readings:
- Smith and Marchesini, Chatper 9-10.
- Ross Anderson. Security Engineering. John Wiley & Sons, Inc., Indianapolis, IN, second edition, 2008. URL: http://www.cl.cam.ac.uk/~rja14/book.html, Section 21.4.5.7.
- Dennis Fisher. Final report on DigiNotar hack shows total compromise of CA servers. Threatpost, October 31, 2012. URL: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/.
- Dan Goodin. Crypto breakthrough shows Flame was designed by world-class scientists. Ars Technica, June 7, 2012. URL: https://arstechnica.com/information-technology/2012/06/flame-crypto-breakthrough/.
- Brian Fonseca. VeriSign issues false Microsoft digital certificates. ITWorld, 2001. URL: https://www.itworld.com/article/2798454/verisign-issues-false-microsoft-digital-certificates.html.
- Brian Fonseca. VeriSign issues false Microsoft digital certificates. ITWorld, 2001. URL: https://www.itworld.com/article/2798454/verisign-issues-false-microsoft-digital-certificates.html.
- Zack Whittaker. Hackers are selling legitimate code-signing certificates to evade malware detection. ZDnet, February 22, 2018. URL: https://www.zdnet.com/article/hackers-are-selling-legitimate-code-signing-certificates-to-evade-malware-detection/.
- Sean Gallagher. Patch Windows 10 and Server now because certificate validation is broken. Ars Technica, January 14, 2020. URL: https://arstechnica.com/information-technology/2020/01/patch-windows-10-and-server-now-because-certificate-validation-is-broken/.
- Loren M. Kohnfelder. Toward a practical public-key cryptosystem. Master's thesis, Department of Electrical Engineering, Massachusetts Institute of Technology, May 1978, optional.
- CERTBOT Documentation, optional
Thursday, October 01
Readings:
- Robert H. Morris and Ken Thompson. Unix password security. Communications of the ACM, 22(11):594, November 1979. URL: http://dl.acm.org/citation.cfm?id=359172.
- Steven M. Bellovin. Password compromises. Tech@FTC blog, September 19, 2012. URL: https://www.ftc.gov/news-events/blogs/techftc/2012/09/password-compromises.
- Steven M. Bellovin. Storing passwords, or the risk of a no-salt diet. Tech@FTC blog, March 21, 2013. URL: https://www.ftc.gov/news-events/blogs/techftc/2013/03/storing-passwords-or-risk-no-salt-diet.
- Lorrie Cranor. Time to rethink mandatory password changes. Tech@FTC blog, March 2, 2016. URL: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes.
- Dinei Florêncio, Cormac Herley, and Baris Coskun. Do strong web passwords accomplish anything? In Proceedings of HOTSEC '07. 2007. URL: http://www.usenix.org/events/hotsec07/tech/full_papers/florencio/florencio.pdf.
- Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, 176–186. New York, NY, USA, 2010. ACM. URL: http://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf, doi:http://doi.acm.org/10.1145/1866307.1866328.
- Andy Greenberg. So hey you should stop using texts for two-factor authentication. Wired, June 26, 2016. URL: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/.
- Brian Krebs. The limits of SMS for 2-factor authentication. Krebs on Security, September 16, 2016. URL: https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentication/.
- Daniel Terdiman. Google security exec: 'passwords are dead'. CNET, September 10, 2013. URL: https://www.cnet.com/news/google-security-exec-passwords-are-dead/.
- Alex Hern. Hacker fakes German minister's fingerprints using photos of her hands. The Guardian, December 30, 2014. URL: https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands.
- Dr. Fun
- User Friendly
Friday, October 02
Homework due:
Tuesday, October 06
Transport Layer Security
Readings:
- Smith and Marchesini, Sections 12.2.2-12.2.3.
- What is TLS/SSL. October 10, 2009. URL: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784450(v=ws.10).
- How TLS/SSL works. January 8, 2015. URL: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783349(v=ws.10).
- Taher Elgamal, Jeff Treuhaft, and Frank Chen. Securing communications on the intranet and over the Internet. Netscape Communications Corporation, July 1996. URL: http://users.salleurl.edu/~marcg/Documentacio/general/Internet_Security.ps.
- Cloudflare. What happens in a TLS handshake? 2020. URL: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/.
- Eric K. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. URL: http://www.rfc-editor.org/rfc/rfc8446.txt, Very optional.
Thursday, October 08
Readings:
- Marty Kalin. Getting started with OpenSSL: cryptography basics. June 19, 2019. URL: https://opensource.com/article/19/6/cryptography-basics-openssl-part-1.
- Sean Gallagher. Turkish government agency spoofed Google certificate “accidentally”. Ars Technica, January 04, 2013. URL: https://arstechnica.com/information-technology/2013/01/turkish-government-agency-spoofed-google-certificate-accidentally/.
- Randall Munroe. Exploits of a mom. October 10, 2007. URL: https://xkcd.com/327/.
- What is certificate transparency? URL: https://www.certificate-transparency.org/what-is-ct, optional.
Tuesday, October 13
Readings:
- A. Barth. HTTP State Management Mechanism. RFC 6265, April 2011. URL: http://www.rfc-editor.org/rfc/rfc6265.txt.
- Alex Hern. Major sites including New York Times and BBC hit by `ransomware' malvertising. Guardian, March 16, 2016. URL: https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising.
- Michael Mimoso. iOS developer site at core of Facebook, Apple watering hole attack. Threatpost, February 20, 2013. URL: https://threatpost.com/ios-developer-site-core-facebook-apple-watering-hole-attack-022013/77546/.
- Asha Barbaschow. Yahoo says 32m user accounts were accessed via cookie forging attack. ZDnet, March 2, 2017. URL: https://www.zdnet.com/article/yahoo-says-32m-user-accounts-accessed-via-cookie-forging-attack/.
- Scott White. Theft from online shopping carts—past and present. TrustedSec, June 4, 2020. URL: https://www.trustedsec.com/blog/theft-from-online-shopping-carts-past-and-present/.
- Chris Foresman. iPad 3G user e-mail addresses leaked by AT&T servers. Ars Technica, June 10, 2010. URL: https://arstechnica.com/gadgets/2010/06/ipad-3g-user-e-mail-addresses-leaked-by-att-servers/.
- Kim Zetter. Palin e-mail hacker says it was easy. Wired, September 18, 2008. URL: https://www.wired.com/2008/09/palin-e-mail-ha/.
- Natasha Singer. Your online attention, bought in an instant by advertisers. New York Times, November 17, 2012. URL: https://www.nytimes.com/2012/11/18/technology/your-online-attention-bought-in-an-instant-by-advertisers.html, optional.
- Peter Eckersley. How unique is your web browser? In International Symposium on Privacy Enhancing Technologies Symposium (PETS), 1–18. Springer, 2010. URL: https://www.freehaven.net/anonbib/cache/pets2010:eckersley2010unique.pdf, optional.
Thursday, October 15
Readings:
- SophosLabs Offensive Security. Top reason to apply October, 2020's Microsoft patches: Ping of Death redux. Sophos News, 2020. URL: https://news.sophos.com/en-us/2020/10/13/top-reason-to-apply-october-2020s-microsoft-patches-ping-of-death-redux/.
- Ms. Smith. Report: over 80% mobile apps have crypto flaws, 4 of 5 web apps fail OWASP security. NetworkWorld, December 6, 2015. URL: http://www.networkworld.com/article/3012272/security/report-over-80-mobile-apps-have-crypto-flaws-4-of-5-web-apps-fail-owasp-security.html.
- C.A.R. Hoare. The emperor's old clothes. Communications of the ACM, 24(2):75–83, February 1981. URL: http://dl.acm.org/citation.cfm?id=358549.358561.
- Brian Chess and Gary McGraw. Static analysis for security. IEEE Security & Privacy, 2(6):76–79, 2004. URL: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.441.5528&rep=rep1&type=pdf.
- Mudge. How to write buffer overflows. October 20, 1995. Note: At the time there was a vulnerability in vsnprintf, Essentially turning it into vsprintf(). I use that as an example. That was the exploit for sendmail 8.6.12(??); however, the vsnprintf bug has been long since fixed. URL: https://insecure.org/stf/mudge_buffer_overflow_tutorial.html.
- Aleph One. Smashing the stack for fun and profit. Phrack, November 1996. URL: http://www.phrack.org/issues/49/14.html#article.
- Mark Yason. Use-after-frees: that pointer may be pointing to something bad. Security Intelligence, April 1, 2013. URL: https://securityintelligence.com/use-after-frees-that-pointer-may-be-pointing-to-something-bad/.
- Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. Preventing use-after-free with dangling pointers nullification. In NDSS. 2015. URL: https://wenke.gtisc.gatech.edu/papers/dangnull.pdf.
- Erik Buchanan, Ryan Roemer, Stefan Savage, and Hovav Shacham. Return-oriented programming: exploitation without code injection. Black Hat, 2008. URL: https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf.
- Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. Return-oriented programming: systems, languages, and applications. ACM Transactions on Information and System Security (TISSEC), 15(1):1–34, 2012. URL: https://hovav.net/ucsd/dist/rop.pdf, skim.
Monday, October 19
Homework due:
Tuesday, October 20
Readings:
- Smith and Marchesini, Chapter 2.
- The man page for Linux access control lists
Thursday, October 22
Guest lecturer: Matt Blaze, Georgetown University Computer Science and Law
Readings:
- Matt Blaze. Election integrity and technology: vulnerabilities and soluions. Georgetown Law Technology Review, 4:505, 2020. URL: https://georgetownlawtechreview.org/wp-content/uploads/2020/07/4.2-p505-522-Blaze.pdf.
- National Academies of Sciences, Engineering and Medicine. Securing the Vote: Protecting American Democracy. The National Academies Press, Washington, DC, 2018. ISBN 978-0-309-47647-8. URL: https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy, doi:10.17226/25120, executive summary.
- Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, and Dan S. Wallach. Analysis of an electronic voting system. In IEEE Symposium on Security and Privacy. May 2004. URL: http://avirubin.com/vote.pdf.
- Celeste Katz. Hack-vulnerable voting machines a `national security threat', experts warn. Newsweek, October 10, 2017. URL: http://www.newsweek.com/hacking-defcon-voting-machines-technology-software-eac-russia-meddling-681759.
- Avi Rubin. My day at the polls. Avi Rubin's Blog, November 4, 2008. URL: https://avi-rubin.blogspot.com/2008/11/my-day-at-polls.html.
- Nicole Perlroth. In election interference, it's what reporters didn't find that matters. New York Times, Sept. 1, 2017. URL: https://www.nytimes.com/2017/09/01/insider/in-election-interference-its-what-reporters-didnt-find-that-matters.html.
- Michael Wines Nicole Perlroth and Matthew Rosenberg. Russian election hacking efforts, wider than previously known, draw little scrutiny. New York Times, Sept. 1, 2017. URL: https://www.nytimes.com/2017/09/01/us/politics/russia-election-hacking.html.
- Matthew Rosenberg David E. Sanger, Nicole Perlroth, and Matthew Rosenberg. Amid pandemic and upheaval, new cyberthreats to the presidential election. New York Times, June 7, 2020. URL: https://www.nytimes.com/2020/06/07/us/politics/remote-voting-hacking-coronavirus.html.
- Cynthia McFadden, William M. Arkin, Kevin Monahan, and Ken Dilanian. U.S. intel: Russia compromised seven states prior to 2016 election. NBC News, February 27, 2018. URL: https://www.nbcnews.com/politics/elections/u-s-intel-russia-compromised-seven-states-prior-2016-election-n850296.
- Mark Lindeman and Philip B Stark. A gentle introduction to risk-limiting audits. IEEE Security & Privacy, 10(5):42–49, 2012. URL: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.229.883&rep=rep1&type=pdf.
- Ann Marie Awad. Colorado launches first in the nation post-election audits. NPR, November 22, 2017. URL: https://www.npr.org/2017/11/22/566039611/colorado-launches-first-in-the-nation-post-election-audits.
- Steven M. Bellovin. Mail-in ballots are secure, confidential, and trustworthy. Columbia News, October 23, 2020. URL: https://news.columbia.edu/in-mail-absentee-ballots-secure-vote-election.
Tuesday, October 27
Readings:
- Smith and Marchesini, Chapter 3.
- M. D. McIlroy and J. A. Reeds. Multilevel security in the Unix tradition. Software—Practice and Experience, 22(8):673–694, 1992. URL: http://onlinelibrary.wiley.com/doi/10.1002/spe.4380220805/abstract, optional.
- Marking Classified National Security Information (optional)
- Report on the U.S. Intelligence Community's Prewar Intelligence Assessments on Iraq (the document from which the sample marked page was taken; very optional)
Thursday, October 29
Thursday, November 05
Readings:
- Chenxi Wang. Containers 101: Linux containers and Docker explained. InfoWorld, May 26, 2016. URL: http://www.infoworld.com/article/3072929/linux/containers-101-linux-containers-and-docker-explained.html.
- Lee Badger, Daniel F Sterne, David L Sherman, Kenneth M Walker, and Sheila A Haghighat. A domain and type enforcement unix prototype. Computing Systems, 9(1):47–83, 1996. URL: http://static.usenix.org/publications/library/proceedings/security95/full_papers/badger.pdf.
- Ian Goldberg, David A. Wagner, Randi Thomas, and Eric A. Brewer. A secure environment for untrusted helper applications. In Proceedings of the Sixth USENIX Security Symposium. San Jose, CA, USA, 1996. URL: http://HTTP.CS.Berkeley.EDU/~daw/janus/.
- The somewhat surprising history of chroot()
- Docker Security
Tuesday, November 10
Readings:
- AppContainers for Windows 8: what are they and how can you create them? Apriorit, October 8, 2019. URL: https://medium.com/that-feeling-when-it-is-compiler-fault/appcontainers-for-windows-8-what-are-they-and-how-can-you-create-them-e5970a28eea4.
Thursday, November 12
Readings:
- J. H. Saltzer, D. P. Reed, and D. D. Clark. End-to-end arguments in system design. ACM Trans. Comput. Syst., 2(4):277–288, 1984. doi:http://doi.acm.org/10.1145/357401.357402.
- T.J. Socolofsky and C.J. Kale. TCP/IP tutorial. RFC 1180, January 1991. URL: http://www.rfc-editor.org/rfc/rfc1180.txt.
- Steven M. Bellovin. A look back at “Security problems in the TCP/IP protocol suite”. In Annual Computer Security Applications Conference. December 2004. Invited paper. URL: https://www.cs.columbia.edu/~smb/papers/acsac-ipext.pdf.
- BBC. Russia highway robbery: official `stole 50km road'. BBC News, January 14, 2016. URL: https://www.bbc.com/news/world-europe-35312492.
- J. Postel. Internet Protocol. RFC 791, September 1981. URL: http://www.rfc-editor.org/rfc/rfc791.txt, optional.
- J. Postel. Transmission Control Protocol. RFC 793, September 1981. URL: http://www.rfc-editor.org/rfc/rfc793.txt, optional.
- D. Plummer. An Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. RFC 826, November 1982. URL: http://www.rfc-editor.org/rfc/rfc826.txt, optional.
- J. Postel. User Datagram Protocol. RFC 768, August 1980. URL: http://www.rfc-editor.org/rfc/rfc768.txt, optional.
- Steven M. Bellovin. The Security Flag in the IPv4 Header. RFC 3514, April 01, 2003. URL: http://www.rfc-editor.org/rfc/rfc3514.txt, optional.
- D. Waitzman. Standard for the transmission of IP datagrams on avian carriers. RFC 1149, April 01, 1990. URL: http://www.rfc-editor.org/rfc/rfc1149.txt, optional.
- D. Waitzman. IP over Avian Carriers with Quality of Service. RFC 2549, April 01, 1999. URL: http://www.rfc-editor.org/rfc/rfc2549.txt, optional.
Tuesday, November 17
Homework due:
Readings:
- Steven M. Bellovin. Using the domain name system for system break-ins. In Proceedings of the Fifth Usenix Unix Security Symposium, 199–208. Salt Lake City, UT, June 1995. URL: https://www.cs.columbia.edu/~smb/papers/dnshack.pdf.
- Dan Goodin. DNS cache poisoning, the Internet attack from 2008, is back from the dead. Ars Technica, November 12, 2020. URL: https://arstechnica.com/information-technology/2020/11/researchers-find-way-to-revive-kaminskys-2008-dns-cache-poisoning-attack/.
- Cloudflare. How DNSSEC works. 2020. URL: https://www.cloudflare.com/dns/dnssec/how-dnssec-works/.
- P.V. Mockapetris. Domain names—concepts and facilities. RFC 1034, November 1987. URL: http://www.rfc-editor.org/rfc/rfc1034.txt, optional.
- R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. RFC 4033, March 2005. URL: http://www.rfc-editor.org/rfc/rfc4033.txt, very optional.
- Steven M. Bellovin, Real Attacks and Threat Models, IETF 67, San Diego, CA, November 2006.
Thursday, November 19
Readings:
- Lily May Newman. A broken piece of Internet backbone might finally get fixed. Wired, December 2, 2020. URL: https://www.wired.com/story/bgp-routing-manrs-google-fix/.
- BGP.us. Bgp case studies. 2016. URL: https://www.bgp.us/case-studies/.
- Dan Goodin. Hacking Team orchestrated brazen BGP hack to hijack IPs it didn't own. Ars Technica, 2015. URL: http://arstechnica.com/security/2015/07/hacking-team-orchestrated-brazen-bgp-hack-to-hijack-ips-it-didnt-own/.
- Pierre-Antoine Vervier, Olivier Thonnard, and Marc Dacier. Mind your blocks: on the stealthiness of malicious BGP hijacks. In Proceedings of NDSS '15. 2015. URL: http://www.internetsociety.org/doc/mind-your-blocks-stealthiness-malicious-bgp-hijacks.
- Craig Timberg. The long life of a quick `fix”. Washington Post, May 31, 2015. URL: https://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/.
- Fred Baker. Internet routing with MANRS. 2018. URL: https://www.manrs.org/wp-content/uploads/2018/11/Internet-Routing-with-MANRS.pdf.
- Anirudh Ramachandran and Nick Feamster. Understanding the network-level behavior of spammers. ACM SIGCOMM Computer Communication Review, 36(4):291–302, 2006.
- S. Murphy, M. Badger, and B. Wellington. OSPF with Digital Signatures. RFC 2154, June 1997. URL: http://www.rfc-editor.org/rfc/rfc2154.txt, optional.
- M. Lepinski and Stephen T. Kent. An Infrastructure to Support Secure Internet Routing. RFC 6480, February 2012. URL: http://www.rfc-editor.org/rfc/rfc6480.txt, optional.
- Stephen T. Kent and A. Chi. Threat Model for BGP Path Security. RFC 7132, February 2014. URL: http://www.rfc-editor.org/rfc/rfc7132.txt, optional.
Tuesday, November 24
Homework due:
Readings:
- William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA, 1st edition, 1994. ISBN 0201633574. URL: http://www.wilyhacker.com/1e/, Chapter 1.
- William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA, 1st edition, 1994. ISBN 0201633574. URL: http://www.wilyhacker.com/1e/, The rest of the book is optional.
Tuesday, December 01
Readings:
- W. Simpson. IP in IP Tunneling. RFC 1853, October 1995. URL: http://www.rfc-editor.org/rfc/rfc1853.txt.
- G. Dommety. Key and Sequence Number Extensions to GRE. RFC 2890, September 2000. URL: http://www.rfc-editor.org/rfc/rfc2890.txt.
- Stephen T. Kent and K. Seo. Security Architecture for the Internet Protocol. RFC 4301, December 2005. URL: http://www.rfc-editor.org/rfc/rfc4301.txt, skim.
Thursday, December 03
Readings:
- John Leyden. The 30-year-old prank that became the first computer virus. The Register, 2012. URL: https://www.theregister.com/2012/12/14/first_virus_elk_cloner_creator_interviewed/.
- Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to own the Internet in your spare time. In Proceedings of the 11th USENIX Security Symposium. San Francisco, CA, USA, 2002. URL: https://www.icir.org/vern/papers/cdc-usenix-sec02/.
- F-Secure. Virus: dos/cih. 2002. URL: https://www.f-secure.com/v-descs/cih.shtml.
- Timothy B. Lee. How a grad student trying to build the first botnet brought the Internet to its knees. Washington Post, November 1, 2013. URL: https://www.washingtonpost.com/news/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/?arc404=true.
- Josh Fruhlinger. Ransomware explained: how it works and how to remove it. CSO, June 19, 2020. URL: https://www.csoonline.com/article/3236183/what-is-ransomware-how-it-works-and-how-to-remove-it.html.
- Aaron Mak. How scammers steal your computing power to mine cryptocurrencies. Slate, February 1, 2015. URL: https://slate.com/technology/2018/02/what-is-cryptojacking-the-bitcoin-and-monero-mining-process-that-steals-your-computing-power-explained.html.
- Aaron Mak. Salon is asking readers to mine cryptocurrency if they don't want to see ads. Slate, February 13, 2018. URL: https://slate.com/technology/2018/02/salon-is-offering-readers-to-suppress-ads-in-exchange-for-cryptocurrency-mining-power.html.
- Marty Niland. Virus disrupts train signals. CBS News, August 21, 2003. URL: https://www.cbsnews.com/news/virus-disrupts-train-signals/.
- Robert Stone. Centertrack: an ip overlay network for tracking dos floods. In 9th Usenix Security Symposium. 2000. URL: http://www.usenix.org/publications/library/proceedings/sec2000/full_papers/stone/stone.ps.
- Computer Emergency Response Team. Distributed denial of service tools. Incident Note IN-99-07, CERT, January 15, 2001. URL: https://web.archive.org/web/20100626210554/http://www.cert.org/incident_notes/IN-99-07.html.
- Geoffrey Cheng. Malware FAQ: analysis on DDOS tool Stacheldraht v1.666. 2000. URL: https://www.sans.org/security-resources/malwarefaq/stacheldraht.
- U.S. Department of Justice. Seven iranians working for islamic revolutionary guard corps-affiliated entities charged for conducting coordinated campaign of cyber attacks against u.s. financial sector. March 24, 2016. URL: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged.
- Michael Kan. Google says biggest ddos attack on record hit the company in 2017. PC Magazine, October 16, 2020. URL: https://www.pcmag.com/news/google-says-biggest-ddos-attack-on-record-hit-the-company-in-2017.
- Dan Goodin. How Google fought back against a crippling iot-powered botnet and won. Ars Technica, February 02, 2017. URL: https://arstechnica.com/information-technology/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won/.
Tuesday, December 08
Homework due:
Readings:
- Nicole Radziwill, Jessica Romano, Diane Shorter, and Morgan C. Benton. The ethics of hacking: should it be taught? CoRR, 2015. URL: http://arxiv.org/abs/1512.02707, arXiv:1512.02707.
- Gregory Conti and James Caroland. Embracing the Kobayashi Maru: why you should teach your students to cheat. IEEE Security & Privacy, 9(4):48–51, July–August 2011. URL: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5968086.
- C. T. Holzer and J. E. Lerums. The ethics of hacking back. In 2016 IEEE Symposium on Technologies for Homeland Security (HST), 1–6. 2016. URL: https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2016-01.pdf.
- Dan Goodin. Vigilante botnet infects IoT devices before blackhats can hijack them. Ars Technica, April 19, 2017. URL: https://arstechnica.com/information-technology/2017/04/vigilante-botnet-infects-iot-devices-before-blackhats-can-hijack-them/.
- Peter Bright. DoJ, FBI set up command-and-control servers, take down botnet. Ars Technica, April 14, 2011. URL: https://arstechnica.com/information-technology/2011/04/doj-fbi-set-up-command-and-control-servers-take-down-botnet/.
- Catalin Cimpanu. Avast and french police take over malware botnet and disinfect 850,000 computers. ZDnet, August 28, 2019. URL: https://www.zdnet.com/article/avast-and-french-police-take-over-malware-botnet-and-disinfect-850000-computers/.
- A. M. Matwyshyn, A. Cui, A. D. Keromytis, and S. J. Stolfo. Ethics in security vulnerability research. IEEE Security Privacy, 8(2):67–72, 2010. URL: https://academiccommons.columbia.edu/doi/10.7916/D8JQ19F5/download.
- Sean Gallagher. Maryland bill would outlaw ransomware, keep researchers from reporting bugs. Ars Technica, January 27, 2020. URL: https://arstechnica.com/information-technology/2020/01/good-news-maryland-bill-would-make-ransomware-a-crime/.
- Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro. The computer worm. February 6, 1989. URL: http://simson.net/ref/1989/Cornell_Worm_Report_1989.pdf.
- Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jennifer Rexford. As simple as possible—but not more so. Communications of the ACM, 2011. Note: this is a shorter version of “Can it really work?”. URL: https://www.cs.columbia.edu/~smb/papers/simple-as-possible.pdf.
Thursday, December 10
Penetration Testing and Physical Security
Guest lecturer: Mark Seiden
Readings:
- Gary Rivlin. The sniffer vs. the cybercrooks. New York Times, July 31, 2005. URL: https://www.nytimes.com/2005/07/31/business/yourmoney/the-sniffer-vs-the-cybercrooks.html.
- Dan Goodin. How a turf war and a botched contract landed 2 pentesters in Iowa jail. Ars Technica, November 13, 2019. URL: https://arstechnica.com/information-technology/2019/11/how-a-turf-war-and-a-botched-contract-landed-2-pentesters-in-iowa-jail/.
- Dan Goodin. Exonerated: charges dropped against pentesters paid to break into Iowa courthouse. Ars Technica, January 30, 2020. URL: https://arstechnica.com/information-technology/2020/01/criminal-charges-dropped-against-2-pentesters-who-broke-into-iowa-courthouse/.
- John Markoff. Design flaw in security systems leaves airports vulnerable to terrorists, officials say. New York Times, February 8, 1998. URL: https://www.nytimes.com/1998/02/08/us/design-flaw-security-systems-leaves-airports-vulnerable-terrorists-officials-say.html.
- Matt Blaze. Cryptology and physical security: rights amplification in master-keyed mechanical locks. IEEE Security and Privacy, March/April 2003. URL: https://www.mattblaze.org/papers/mk.pdf.
- Matt Blaze. Safecracking for the computer scientist. Technical Report, U. Penn CIS Department, December 20, 2004. URL: https://www.mattblaze.org/papers/safelocks.pdf.
Tuesday, December 22
Homework due:
- Final Project (Final Project)
OpenSSL demo programs
Containers
Python3 script to create a user list
User list: "name hashed-w pw", blank-separated
User names from hw3
Simple HTTP specification
Simple TLS instructions
Simple C program to connect to a TLS web server
Assignment version replaced 12/9
Assignment version replaced 10/7
Assignment version replaced 11/25