The lectures and readings listed here are subject to change, including in response to current events (i.e., major news items).
Tuesday, January 18
Readings:
- Bellovin, Chaps 1–3.
- “Defining Security”, via Courseworks
Thursday, January 20
Readings:
- Bellovin, Chapter 7.
- Lorrie Cranor. Time to rethink mandatory password changes. Tech@FTC blog, March 2, 2016. LINK.
- Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, 176–186. New York, NY, USA, 2010. ACM. LINK, doi:http://doi.acm.org/10.1145/1866307.1866328.
- Andy Greenberg. So hey you should stop using texts for two-factor authentication. Wired, June 26, 2016. LINK.
- Brian Krebs. The limits of SMS for 2-factor authentication. Krebs on Security, September 16, 2016. LINK.
- Robert H. Morris and Ken Thompson. Unix password security. Communications of the ACM, 22(11):594, November 1979. LINK, Very important to read!.
- Daniel Terdiman. Google security exec: 'passwords are dead'. CNET, September 10, 2013. LINK.
- Wesley Hilliard. LastPass denies claims that master passwords may have been compromised. Apple Insider, December 28, 2021. LINK.
- Gabor Angyal. Unusual attempted login activity: how LastPass protects you. LastPass Security News Blog, December 28, 2021. LINK.
- Dr. Fun
- Dilbert
- Dilbert
- Dilbert
- Dilbert
- User Friendly
Tuesday, January 25
Readings:
- Bellovin, Chapter 7.6.
- Ross Anderson. Security Engineering. John Wiley & Sons, Inc., Indianapolis, IN, second edition, 2008. LINK, Chapter 15.
- Stephen T. Kent and Lynette I. Millett, editors. Who Goes There? Authentication Through the Lens of Privacy. National Academies Press, 2003. LINK, Chapter 5.
- Kim Zetter. German hackers say they cracked iPhone's new fingerprint scanner. Wired: Threat Level, September 23, 2013. LINK.
- Alex Hern. Hacker fakes German minister's fingerprints using photos of her hands. The Guardian, December 30, 2014. LINK.
- Karen Shonesy. Security risk: automated voice imitation can fool humans and machines. Science Daily, September 26, 2015. LINK.
- Craig Watson, Gregory Fiumara, Elham Tabassi, Su Lan Cheng, Patricia Flanagan, and Wayne Salamon. Fingerprint vendor technology evaluation. NISTIR 8034, NIST, December 2014. LINK, Executive Summary.
- Patrick Grother, Mei Ngan, and Kayee Hanaoka. Recognition vendor test (FRVT) part 2: identification. NISTIR 8271, NIST, September 11, 2019. LINK, Executive Summary; Figures 9-16.
- NIST. NIST study evaluates effects of race, age, sex on face recognition software. December 19, 2019. LINK.
- Sean Gallagher. London to deploy live facial recognition to find wanted faces in crowd. Ars Technica, January 28, 2020. LINK.
- Dan Goodin. Hackers say they broke Apple's Face ID. here's why we're not convinced. Ars Technica, November 13, 2017. LINK.
- Apple Support. About Face ID advanced technology. January 14, 2020. LINK.
- Ron Amadeo. Anyone can fingerprint unlock a Galaxy S10—just grab a clear phone case. Ars Technica, October 17, 2019. LINK.
- Jose Pagliery. iPhone encryption stops FBI, but not this 7-year-old. CNN, December 1, 2014. LINK.
- Marc Prosser. 3d printed heads can unlock phones. What does that mean for biometric security? SingularityHub, January 7, 2019. LINK.
- NSTC. Fingerprint recognition. National Science and Technology Council, Committee on Technology, 2013. LINK.
- Why the iPhone's fingerprint sensor is better than the ones on older laptops, Y. Narasimhulu (blog).
Thursday, January 27
Readings:
- Bellovin, Chapter 8.
- Ross Anderson. Security Engineering. John Wiley & Sons, Inc., Indianapolis, IN, second edition, 2008. LINK, Section 21.4.5.7.
- Dennis Fisher. Final report on DigiNotar hack shows total compromise of CA servers. Threatpost, October 31, 2012. LINK.
- Kim Zetter. Meet “Flame,” the massive spy malware infiltrating Iranian computers. Wired, May 28, 2012. LINK.
- Dan Goodin. Crypto breakthrough shows Flame was designed by world-class scientists. Ars Technica, June 7, 2012. LINK.
- Brian Fonseca. VeriSign issues false Microsoft digital certificates. ITWorld, 2001. LINK.
- Zack Whittaker. Hackers are selling legitimate code-signing certificates to evade malware detection. ZDnet, February 22, 2018. LINK.
- Sean Gallagher. Patch Windows 10 and Server now because certificate validation is broken. Ars Technica, January 14, 2020. LINK.
- Yiming Zhang. Investigating hidden root certificates in the wild. APNIC blog, January 21, 2022. LINK.
- InCommon Certificate Practices Statement
- InCommon Relying Party Agreement
- Columbia CS Department certificate
- Columbia University certificate
Tuesday, February 01
Readings:
- Federal Trade Commission. Twitter settles charges that it failed to protect consumers' personal information; company will establish independently audited information security program. June 24, 2010. LINK.
- Andrew Hutchinson. Login details of 32 million Twitter accounts leaked online—time to update your password. Social Media Today, June 9, 2016. LINK.
- John Philips. 7 examples of what happens when your Twitter account is hacked. Jeff Bullas (blog), July 11, 2013. LINK.
- Troy Hunt. Beyond passwords: 2FA, U2F and Google Advanced Protection. Troy Hunt (blog), November 15, 2018. LINK.
- Mat Honan. How Apple and Amazon security flaws led to my epic hacking. Wired, August 6, 2012. LINK.
- Abdi Latif Dahir. Kenya's new digital IDs may exclude millions of minorities. New York Times, January 29, 2020. LINK.
- Abdi Latif Dahir and Carlos Mureithi. Kenya's high court delays national biometric id program. New York Times, January 31, 2020. LINK.
- Shalanda D. Young. Moving the U.S. government toward zero trust cybersecurity principles. Executive Office of the President, Office of Management and Budget, January 26, 2022. M-22-09. LINK, Section III.A.
Thursday, February 03
Readings:
- Bellovin, Chapter 4.
- Fred Cohen. Computer viruses—theory and experiments. In DOD/NBS 7th Conference on Computer Security. 1984. LINK.
- Ken Thompson. Reflections on trusting trust. Communications of the ACM, 27(8):761–763, August 1984.
- Tom Duff. Experiences with viruses on UNIX systems. Computer Systems, 2(2):155–171, Spring 1989. LINK.
- M. W. Eichin and J. A. Rochlis. With microscope and tweezers: an analysis of the Internet virus of November 1988. In Proc. IEEE Symposium on Research in Security and Privacy, 326–345. Oakland, CA, May 1989. LINK.
- John F. Shoch and Jon A. Hupp. The “worm” programs—early experience with a distributed computation. Commun. ACM, 25(3):172–180, March 1982. LINK, doi:10.1145/358453.358455.
- Timothy B. Lee. How a grad student trying to build the first botnet brought the Internet to its knees. Washington Post, November 1, 2013. LINK.
- Joris Evers. Tool turns unsuspecting surfers into hacking help. CNET, March 21, 2007. LINK.
- Joris Evers. JavaScript opens doors to browser-based attacks. CNET, July 31, 2006. LINK.
- Nicolas Falliere, Liam O Murchu, and Eric Chien. W32.Stuxnet dossier. Symantec Security Response, February 2011. Version 1.4. LINK.
- Catalin Cimpanu. New Ramsay malware can steal sensitive documents from air-gapped networks. ZDnet, May 13, 2020. LINK.
- Kim Zetter and Huib Modderkolk. Revealed: how a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran. Yahoo, September 2, 2019. LINK.
- Sergiu Gatlan. Microsoft plans to kill malware delivery via Office macros. Bleeping Computer, February 7, 2022. LINK.
- Recreating the Trojan Horse?
- PandaLabs detected more than 21 million new threats, Panda Security, September 15, 2015.
- Oldest known depiction of the Trojan Horse, from the "Vase of Mykonos", almost 2700 years old
- Bad flash drive caused worst U.S. military breach
Optional:
- Ignacio Sanmillan. Ramsay: a cyber‑espionage toolkit tailored for air‑gapped networks. We Live Security, May 13, 2020. LINK.
- Kim Zetter. Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. Crown Publishers, New York, 2014, The best single reference on Stuxnet.
Monday, February 07
Location:Zoom
Readings:
- Katie Benner. U.S. charges Chinese military officers in 2017 Equifax hacking. New York Times, February 10, 2020. LINK.
- Paul Mozur. With harsh words, China's military denies it hacked Equifax. New York Times, February 13, 2020. LINK.
- Jon Brodkin. Huawei fires back, points to US' history of spying on phone networks. Ars Technica, February 13, 2020. LINK.
- Greg Miller. “The intelligence coup of the century”. Washington Post, February 11, 2020. LINK.
- Bellovin, Section 17.4.
- Dan Geer. Von Neumann's monster. Speech, February 7, 2020. LINK.
- Adi Shamir Eyal Ronen, Colin O'Flynn and Achi-Or Weingarten. IoT goes nuclear: creating a ZigBee chain reaction. 2016. LINK.
- Yossef Oren and Angelos D. Keromytis. From the aether to the Ethernet—attacking the Internet using broadcast digital television. In 23rd USENIX Security Symposium (USENIX Security 14), 353–368. San Diego, CA, August 2014. USENIX Association. LINK.
- Brian Krebs. IoT device maker vows product recall, legal action against western accusers. Krebs on Security, October 16, 2016. LINK.
- Brian Krebs. Oct 16 hacked cameras, DVRs powered today's massive internet outage. Krebs on Security, October 16, 2016. LINK.
- Elie Bursztein. Inside the infamous Mirai IoT botnet: a retrospective analysis. Cloudflare Blog, December 14, 2017. LINK.
- Paul Roberts. Blade Runner redux: do embedded systems need a time to die? Security Ledger, May 13, 2014. LINK.
- SCS computing facilities support lifecycle guide. December 16, 2019. LINK.
- Martim Lobao. Android versus iOS software updates revisited: two years later and not much has changed. Android Police, November 2, 2017. LINK.
- Updated: how to: reset C by GE light bulbs. January 3, 2019. LINK.
- Frank Stajano and Ross Anderson. The resurrecting duckling: security issues for ad-hoc wireless networks. In International workshop on security protocols, 172–182. Springer, 1999. LINK.
- Sean Gallagher. Unpatchable bug in millions of iOS devices exploited, developer claims. Ars Technica, September 27, 2019. LINK.
- Jonathan M. Gitlin. Driver stranded after connected rental car can't call home. Ars Technica, February 18, 2020. LINK.
- Cybersecurity and Infrastructure Security Agency. Ransomware impacting pipeline operations. Alert AA20-049A, CISA, February 18, 2020. LINK.
Optional:
- Andy Greenberg. Sandworm. Doubleday, New York, 2019.
Thursday, February 10
Homework due:
Readings:
- Ivan Krstić. Behind the scenes with iOS security. In Black Hat. 2016. LINK.
- Ms. Smith. Report: over 80% mobile apps have crypto flaws, 4 of 5 web apps fail OWASP security. NetworkWorld, December 6, 2015. LINK.
- Jon Oberheide and Farnam Jahanian. When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, HotMobile '10, 43–48. New York, NY, USA, 2010. ACM. LINK, doi:10.1145/1734583.1734595.
- M. Becher, F. C. Freiling, J. Hoffmann, T. Holz, S. Uellenbeck, and C. Wolf. Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In 2011 IEEE Symposium on Security and Privacy, 96–111. May 2011. doi:10.1109/SP.2011.29.
- Matthew Green. Why can't Apple decrypt your iPhone? A Few Thoughts on Cryptographic Engineering, October 4, 2014. LINK.
- Kim Zetter. “Sloppy” mobile voting app used in four states has “elementary” security flaws. Vice Motherboard, February 13, 2020. LINK.
- Carnegie Foundation. Moving the encryption policy conversation forward. September 2019. LINK.
- Adam J Aviv, Katherine L Gibson, Evan Mossop, Matt Blaze, and Jonathan M Smith. Smudge attacks on smartphone touch screens. Woot, 10:1–7, 2010. LINK.
- Sergei Skorobogatov. The bumpy road towards iPhone 5c NAND mirroring. In HardwearIO. Hague, Netherlands, September 2017. LINK.
- Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. Why Eve and Mallory love Android: an analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, 50–61. New York, NY, USA, 2012. Association for Computing Machinery. LINK, doi:10.1145/2382196.2382205.
- Gillian Cleary. Mobile privacy: what do your apps know about you? Symantec Threat Intelligence (blog), August 16, 2018. LINK.
- Aaron Krolik. Your apps know where you were last night, and they're not keeping it secret. New York Times, December 10, 2018. LINK.
- Logan Koepke, Emma Weil, Urmila Janardan, Tinuola Dada, and Harlan Yu. Mass extraction: the widespread power of U.S. law enforcement to search mobile phones. Upturn, October 2020. LINK.
Skim:
- Apple. Apple platform security. Fall 2019. LINK.
Tuesday, February 15
Readings:
- Stephen T. Kent and Lynette I. Millett, editors. Who Goes There? Authentication Through the Lens of Privacy. National Academies Press, 2003. LINK, Chapters 3-4.
- Merritt Baer and Chinmayi Sharma. What cybersecurity standard will a judge use in Equifax breach suits? Lawfare, 2017. LINK.
- Tara Siegel Bernard. Equifax breach affected 147 million, but most sit out settlement. New York Times, January 22, 2020. LINK.
- Kim Zetter. Sarah Palin e-mail hacker sentenced to 1 year in custody. Wired: Threat Level, November 12, 2010. LINK.
- T. Narten, R. Draves, and S. Krishnan. Privacy Extensions for Stateless Address Autoconfiguration in IPv6. RFC 4941, RFC Editor, September 2007. LINK.
- Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner of Alberta. Report of an investigation into the security, collection and retention of personal information. September 25, 2007. PIPEDA Report of Findings #2007-389. LINK.
- Peter Eckersley. How unique is your web browser? In International Symposium on Privacy Enhancing Technologies Symposium (PETS), 1–18. Springer, 2010. LINK.
- Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: the second-generation onion router. In Proceedings of the 13th USENIX Security Symposium. August 2004. LINK.
- Mapping Data Flows
- Dr. Fun
Very optional:
- Secretary's Advisory Committee on Automated Personal Data Systems. Records, Computers, and the Rights of Citizens. DHEW Publication, no. (OS) 73-94. United States Deptartment of Health, Education, and Welfare, 1973. LINK.
Thursday, February 17
Readings:
- Bellovin, Chapter 14.
- Alma Whitten and J.D. Tygar. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. In Proceedings of Usenix Security Symposium. 1999. LINK.
- Michelle Madejski, Maritza Johnson, and Steven M. Bellovin. A study of privacy setting errors in an online social network. In Proceedings of SESOC 2012. 2012. LINK.
- Y. Acar, S. Fahl, and M. L. Mazurek. You are not your developer, either: a research agenda for usable security and privacy research beyond end users. In 2016 IEEE Cybersecurity Development (SecDev), 3–8. Nov 2016. doi:10.1109/SecDev.2016.013.
- Paul Stepahin. We got phished. Exploratorium Tangents (blog), October 20, 2016. LINK.
- Ian Barker. American Express customers phished using phishing prevention scam. Betanews, September 14, 2016. LINK.
- Lorenzo Franceschi-Bicchierai. How hackers broke into John Podesta and Colin Powell's Gmail accounts. Motherboard, October 20, 2016. LINK.
- Anne Adams and Martina Angela Sasse. Users are not the enemy. Commun. ACM, 42(12):40–46, December 1999. LINK, doi:10.1145/322796.322806.
- Lorrie Faith Cranor. A framework for reasoning about the human in the loop. In Usability Psychology and Security Workshop. 2008. LINK.
Tuesday, February 22
Readings:
- Bellovin, Chapter 9; Section 10.3; Section 17.3.
- Larry Seltzer. NFC phone hacking and other mobile attacks. Information Week, July 25, 2012. LINK.
- Zak Doffman. New Google Android threat: NFC exposes devices to malware attack—update settings now. Forbes, November 2, 2019. LINK.
- K. Haataja and P. Toivanen. Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures. IEEE Transactions on Wireless Communications, 9(1):384–392, January 2010. doi:10.1109/TWC.2010.01.090935.
- Thomas Brewster. Update your iPhones and Androids now if you don't want your Bluetooth hacked. Forbes, July 24, 2018. LINK.
- Ben Seri and Gregory Vishnepolsky. Blueborne. Armis, 2017. LINK.
- Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting mobile communications: the insecurity of 802.11. In Proceedings of MOBICOM 2001. July 2001. LINK.
- Adam Stubblefield, John Ioannidis, and Aviel D. Rubin. Using the Fluhrer, Mantin, and Shamir attack to break WEP. In Proceedings of the 2002 Network and Distributed Systems Security Symposium, 17–22. San Diego, CA, feb 2002. LINK, skim.
- Andy Greenberg. Hackers remotely kill a Jeep on the highway—with me in it. Wired, July 21, 2015. LINK, focus on the Sprint parts.
- Threat Lab. Gotta catch 'em all. EFF White Paper, July 1, 2019. LINK.
- Dan Goodin. Flaw in billions of wi-fi devices left communications open to eavesdropping. Ars Technica, February 26, 2020. LINK.
Thursday, February 24
Readings:
- Edsger W Dijkstra. The humble programmer. Communications of the ACM, 15(10):859–866, 1972. LINK.
- Steven M. Bellovin. Attack surfaces. IEEE Security Privacy, 14(3):88–88, May 2016. doi:10.1109/MSP.2016.55.
- Michael Howard, Jon Pincus, and Jeannette M. Wing. Measuring relative attack surfaces. In D.T. Lee, S.P. Shieh, and J.D. Tygar, editors, Computer Security in the 21st Century, pages 109–137. Springer US, 2005. LINK, doi:10.1007/0-387-24006-3_8.
- Helen J. Wang, Chris Grier, Alex Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. The multi-principal OS construction of the Gazelle web browser. In Proc. USENIX Security Symposium. 2009. LINK.
Tuesday, March 01
This is a take-home exam. There will be no in-class anything; the
period is free in case you wish to use it for the exam.
Thursday, March 03
Homework due:
Readings:
- Satoshi Nakamoto. Bitcoin: a peer-to-peer electronic cash system. 2009. LINK.
- Timothy B. Lee. Want to really understand how Bitcoin works? Here's a gentle primer. Ars Technica, December 15, 2017. LINK.
- Dylan Yaga, Peter Mell, Nik Roby, and Karen Scarfone. Blockchain technology overview. NISTIR 8202, National Institute of Standards and Technology (NIST), October 2018. LINK.
- Dan Goodin. Almost $500,000 in Ethereum Classic coin stolen by forking its blockchain. Ars Technica, January 08, 2019. LINK.
- Timothy B. Lee. Blockchain-based elections would be a disaster for democracy. Ars Technica, November 06, 2018. LINK.
- Dan Goodin. Crypto flaws in blockchain Android app sent Bitcoins to the wrong address. Ars Technica, May 29, 2015. LINK.
- Timothy B. Lee. A brief history of Bitcoin hacks and frauds. Ars Technica, December 05, 2017. LINK.
- Kate Rooney. $1.1 billion in cryptocurrency has been stolen this year, and it was apparently easy to do. CNBC, June 7, 2018. LINK.
- Steven M. Bellovin. Bitcoin—the Andromeda Strain of computer science research. SMBlog: Steve Bellovin's Blog (blog), December 30, 2017. LINK.
- Matthew Leising. The Ether thief. Bloomberg, June 13, 2017. LINK.
- Cecille De Jesus. The DAO heist undone: 97% of ETH holders vote for the hard fork. Futurism, July 19, 2016. LINK.
- IBM Blockchain Pulse. Building enterprise blockchains that stand for good: 5 principles for blockchain. Blockchain Pulse: IBM Blockchain Blog, May 13, 2019. LINK.
- Jordan Tuwiner. Best bitcoin & cryptocurrency wallets. Buy Bitcoin Worldwide, December 20, 2019. LINK.
- Joeri Cant. Chinese Bitcoin miners pressured to scale down due to electricity shortages. Cointelegraph, December 30, 2019. LINK.
- Stan Schroeder. Wallet bug freezes more than $150 million worth of Ethereum. Mashable, November 8, 2017. LINK.
- James Vincent. Bitcoin consumes more energy than Switzerland, according to new estimate. Verge, July 4, 2019. LINK.
- aseeb Qureshi. A hacker stole $31m of ether — how it happened, and what it means for ethereum. freeCodeCamp, July 20, 2017. LINK.
- Gavin Phillips. What is a bitcoin tumbler? are they legal? Blocks Decoded, December 19, 2019. LINK.
- Ian Miers, Christina Garman, Matthew Green, and Aviel D Rubin. Zerocoin: anonymous distributed e-cash from Bitcoin. In 2013 IEEE Symposium on Security and Privacy, 397–411. IEEE, 2013. LINK.
- Team Rocket, Maofan Yin, Kevin Sekniqi, Robbert van Renesse, and Emin Gün Sirer. Scalable and probabilistic leaderless BFT consensus through metastability. CoRR, 2019. LINK, skim.
- Fitz Tepper. People have spent over $1M buying virtual cats on the Ethereum blockchain. TechCrunch, December 3, 2017. LINK.
- Nathaniel Popper. Hal Finney, cryptographer and Bitcoin pioneer, dies at 58. New York Times, August 30, 2014. LINK.
- Timothy B. Lee. Judge savages self-proclaimed bitcoin inventor craig wright. Ars Technica, August 28, 2019. LINK.
- Jamie Redman. A deep dive into Satoshi's 11-year old Bitcoin Genesis Block. Bitcoin News, January 3, 2020. LINK.
- Timothy B. Lee. Bitcoin's “halving” is bad for miners, good for everyone else. Ars Technica, May 12, 2020. LINK.
- Dan Goodin. How $323m in crypto was stolen from a blockchain bridge called wormhole. Ars Technica, February 04, 2022. LINK.
- Ryan Naraine. Coinbase pays \$250K for `market-nuking' security flaw. Security Week, February 21 2022. LINK.
- Mitchell Clark. NFTs, explained. Verge, August 18, 2021. LINK.
- Kyle Chayka. Why Bored Ape avatars are taking over Twitter. New Yorker, July 30, 2021. LINK.
- Jordan Pearson and Jason Koebler. A hacker is actively stealing high-value NFTs from OpenSea users. Vice Motherboard, February 19, 2022. LINK.
- Dirty Bubble Media. Phishing on the Opensea. Dirty Bubble Media, February 20, 2022. LINK.
Tuesday, March 08
Readings:
- Bellovin, Chapter 10.
- Antonio Regalado. Who coined “cloud computing”? MIT Technology Review, October 31, 2011. LINK.
- Steven M. Bellovin. Testimony for the New York City Council Committee on Technology and Committee on Small Business hearing on “Cybersecurity for Small Businesses”. February 25, 2020. LINK, sections on cloud uses.
- Teri Robinson. Open AWS S3 bucket exposes private info on thousands of Fedex customers. SC Media, February 15, 2018. LINK.
- Emma Brown. UC-Berkeley students sue Google, alleging their emails were illegally scanned. Washington Post, February 1, 2016. LINK.
- Chris Hoofnagle. Bmail and google's “content one box”. Berkeley Blog, March 1, 2014. LINK.
- Microsoft. Azure encryption overview. March 23, 2020. LINK.
- Microsoft. Azure confidential computing. March 2020. LINK.
- Google. Google cloud security and compliance whitepaper. May 18, 2017. LINK.
- Mark Russinovich. Introducing Azure confidential computing. Microsoft Azure Blog, September 14, 2017.
Thursday, March 10
Hardware Security
Guest lecturer: Prof. Simha Sethumadhavan
Readings:
- Gus W. Weiss. The Farewell Dossier: duping the Soviets. CIA, 1996. LINK.
- Jann Horn. Reading privileged memory with a side-channel. Project Zero, January 3, 2018. LINK.
- Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. CLKSCREW: exposing the perils of security-oblivious energy management. In 26th USENIX Security Symposium (USENIX Security 17), 1057–1074. Vancouver, BC, August 2017. USENIX Association. LINK.
- Mark Seaborn. Exploiting the DRAM rowhammer bug to gain kernel privileges. Project Zero, March 9, 2015. LINK.
- M. Rostami, F. Koushanfar, and R. Karri. A primer on hardware security: models, methods, and metrics. Proceedings of the IEEE, 102(8):1283–1295, Aug 2014. doi:10.1109/JPROC.2014.2335155.
- S. M. Trimberger and J. J. Moore. FPGA security: motivations, features, and applications. Proceedings of the IEEE, 102(8):1248–1265, Aug 2014. doi:10.1109/JPROC.2014.2331672.
Note: No slides for this lecture.
Tuesday, March 29
Readings:
- John Ioannidis and Matt Blaze. The architecture and implementation of network-layer security under unix. In Proceedings of the Fourth Usenix Unix Security Symposium, 29–39. October 1993. LINK.
- Steven M. Bellovin. Problem areas for the IP security protocols. In Proceedings of the Sixth Usenix Unix Security Symposium, 205–214. July 1996. LINK.
- Charles Dinkel, editor. Secure Data Network Systems (SDNS) Network, Transport, and Message Security Protocols. Number 90-4250. National Institute of Standards and Technology, 1990. LINK, pp 1-39; skim.
Thursday, March 31
Readings:
- Seny Kamara. Encrypted search: intro & basics. SAC Summer School, 2019. LINK.
- Raphael Bost, Raluca Ada Popa, Stephen Tu, and Shafi Goldwasser. Machine learning classification over encrypted data. In NDSS. 2015. LINK.
- Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael A. Specter, and Daniel J. Weitzner. Keys under doormats: mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, September 2015. LINK, doi:10.1093/cybsec/tyv009.
- Lars Stoltenow. Recover the volume key of EncFS volumes created around 2007 on Debian, without password. April 5, 2020. See the README.md file. LINK.
- Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J AlexHalderman. Mining your Ps and Qs: detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Security Symposium. 2012. LINK.
- Dan Goodin. Flaw crippling millions of crypto keys is worse than first disclosed. Ars Technica, November 06, 2017. LINK.
- Stilgherrian. The encryption debate in Australia. May 30, 2019. LINK.
- Cyrus Farivar. Australia passes new law to thwart strong encryption. Ars Technica, December 06, 2018. LINK.
- Asim Mehmood. HSMs and key management: effective key security. January 24, 2018. LINK.
- January 24. Does an HSM guarantee cryptographic key security? LinkedIn, January 24, 2019.
- David Gunning, Awni Hannun, Brian Knott, Laurens van der Maaten, Vinicius Reis, Shubho Sengupta, Shobha Venkataraman, and Xing Zhou. Crypten: a new research tool for secure machine learning with PyTorch. Facebook AI blog, October 10, 2019. LINK.
- Mariana Raykova, Ang Cui, Binh Vo, Bin Liu, Tal Malkin, Steven M. Bellovin, and Salvatore J. Stolfo. Usable secure private search. IEEE Security & Privacy, September-October 2012. LINK, doi:10.1109/MSP.2011.155.
- Dan Goodin. Researcher uses 379-year-old algorithm to crack crypto keys found in the wild. Ars Technica, March 14, 2022. LINK.
Tuesday, April 05
Readings:
- Steven M. Bellovin. Distributed firewalls. ;login:, pages 39–47, November 1999. LINK.
- Bellovin, Sections 5.1–5.2.
- Google. A new approach to enterprise security. 2018. LINK, Read the linked-to documents, too.
- Shalanda D. Young. Moving the U.S. government toward zero trust cybersecurity principles. Executive Office of the President, Office of Management and Budget, January 26, 2022. M-22-09. LINK.
- National Security Agency. Embracing a zero trust security model. February 25, 2021. LINK.
- Matthew Garrett. ZTA doesn't solve all problems, but partial implementations solve fewer. MJG59's Journal, March 31, 2022. LINK.
Optional:
- William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA, second edition, 2003. ISBN 078-5342634662. LINK, Section 9.6.
Thursday, April 07
Physical and Procedural Security
Location:Zoom
Guest lecturer: Mark Seiden
Readings:
- Bellovin, Sections 16.1, 16.2.
- NSA. Media destruction guidance. 2015. LINK.
- Federal Commissioner for the Records of the State Security Service of the Fomer German Democratic Republic. The reconstruction of torn documents. 2019. LINK.
- Aaron Tilley. How a few words to Apple's Siri unlocked a man's front door. Forbes, September 21, 2016. LINK.
- Andy Greenberg. Flaws in Samsung's `smart' home let hackers unlock doors and set off fire alarms. Wired, May 2, 2016. LINK.
- Matt Blaze. Cryptology and physical security: rights amplification in master-keyed mechanical locks. IEEE Security and Privacy, 1(2):24–32, March/April 2003. LINK.
- Matt Blaze. Safecracking for the computer scientist. Technical Report, U. Penn CIS Department, December 2004. LINK.
- Kevin Mitnick and William Simon. The Art of Deception. Wiley, 2002. (Recommended).
- Lewis Page. US Navy malware infection risked submarine prang. The Register, April 18, 2007. LINK.
- Lewis Page. Disgruntled techie attempts Californian power blackout. The Register, April 20, 2007. LINK.
- Maxim Kelly. Chocolate the key to uncovering PC passwords. The Register, April 17, 2007. LINK.
- Claudia Himmelreich. Piecing together Germany's shredded Stasi files. Time, April 21, 2010. LINK.
- Sean Gallagher. Power strip or network hacking tool? it's both, actually. Ars Technica, July 23, 2012. LINK.
- Director of Central Intelligence. Physical security standards for sensitive compartemented information facilities. Directive 6/9, CIA, November 18, 2002. LINK.
- BBC. Service station thieves 'using car key jammers'. BBC News, December 3, 2016. LINK.
- Lily Hay Newman. How a hacker's mom broke into a prison—and the warden's computer. Wired, February 26, 2020. LINK.
- Prison break-in video, starting at about 13:30
- The Graphing Calculator Story, Ron Avitzur, 2004.
Tuesday, April 12
Homework due:
Readings:
- Andy Greenberg. Hacker lexicon: what is fuzzing? Wired, June 2, 2016. LINK.
- John Neystadt. Automated penetration testing with white-box fuzzing. MSDN, February 2008. LINK.
- J. Postel. TCP and IP bake off. RFC 1025, RFC Editor, September 1987. LINK.
- Steven M. Bellovin and Randy Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268–274, April 2009. LINK.
- Peter Gutmann. Fuzzing code with AFL. ;login:, 41(2):11–14, Summer 2016. LINK.
- A warm welcome to ASN.1 and DER. April 2020. LINK, skim.
- CERT Advisory CA-20002-03 Multiple Vulnerabilities in Many Implementations, February 12, 2002
Optional:
- Ari Takanen, Jared DeMott, Charles Miller, and Atte Kettunen. Fuzzing for Software Security Testing and Quality Assurance. Artech House, Boston, MA, second edition, 2018. LINK, online book; skim.
Thursday, April 14
Readings:
- Bellovin, Section 11.3; 16.3.
- Nicole Perlroth. A tough corporate job asks one question: can you hack it? The New York Times, July 21, 2014. LINK.
- Brian Krebs. Target hackers broke in via HVAC company. Krebs on Security, February 5, 2014. LINK.
- Paul Roberts. Third party vendor source of breach at Home Depot. Security Ledger, November 7, 2014. LINK.
- Steven M. Bellovin and Randy Bush. Configuration management and security. IEEE Journal on Selected Areas in Communications, 27(3):268–274, April 2009. LINK.
- R. Callon and M. Suzuki. A Framework for Layer 3 Provider-Provisioned Virtual Private Networks (PPVPNs). RFC 4110, RFC Editor, July 2005. LINK, skim.
- L. Fang. Security Framework for Provider-Provisioned Virtual Private Networks (PPVPNs). RFC 4111, RFC Editor, July 2005. LINK, skim.
Tuesday, April 19
Readings:
- Bellovin, Chapters 12, 13, 15.
- Parker Thompson and Sarah Zatko. Build safety of software in 28 popular home routers. December 2018. LINK.
- Steven M. Bellovin. The open source quality challenge. SMBlog: Steve Bellovin's Blog (blog), April 29, 2009. LINK.
- Christopher Bing and Joseph Menn. Flaw in iPhone, iPads may have allowed hackers to steal data for years. Reuters, April 22, 2020. LINK.
- Microsoft. Life in the digital crosshairs: the dawn of the Microsoft Security Development Lifecycle. 2014. LINK.
- Bill Gates. Trustworthy computing. January 15, 2002. LINK.
- Brian Krebs. Microsoft Patch Tuesday, April 2022 edition. Krebs on Security, April 13, 2022. LINK.
- Natasha Singer and Nicole Perlroth. Zoom's security woes were no secret to business partners like Dropbox. New York Times, April 20, 2020. LINK.
- Darren Pauli. Apple's iOS updates brick iPads. The Register, May 17, 2016. LINK.
- National Telecommunications and Information Administration. Software bill of materials. 2021. LINK.
- Read several of the web pages of Cyber ITL, including especially their methodology page
Thursday, April 21
Readings:
- Cliff Stoll. Stalking the wily hacker. Communications of the ACM, 31(5):484–497, May 1988. LINK, doi:10.1145/42411.42412.
- Microsoft Threat Protection Intelligence Team. Ransomware groups continue to target healthcare, critical services; here's how to reduce risk. April 28, 2020. LINK.
- Dan Goodin. Lockbit, the new ransomware for hire: a sad and cautionary tale. Ars Technica, May 01, 2020. LINK.
- William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin. Firewalls and Internet Security; Repelling the Wily Hacker. Addison-Wesley, Reading, MA, second edition, 2003. ISBN 078-5342634662. Chapter 17: “The Taking of Clark”. LINK.
- Brian Krebs. Banks: credit card breach at Home Depot. Krebs on Security, September 14, 2014. LINK.
- Brian Krebs. What the Marriott breach says about security. Krebs on Security, December 18, 2018. LINK.
- Nicole Perlroth, Amie Tsang, and Adam Satariano. Marriott hacking exposes data of up to 500 million guests. New York Times, November 30, 2018. LINK.
- Sean Gallagher. Sony pictures hackers release list of stolen corporate files. Ars Technica, November 26, 2014. LINK.
- Sean Gallagher. Home Depot ignored security warnings for years, employees say. Ars Technica, September 20, 2014. LINK.
- Nicole Perlroth. Yahoo says hackers stole data on 500 million users in 2014. New York Times, September 22, 2016. LINK.
- Josh Fruhlinger. The OPM hack explained: bad security practices meet China's Captain America. CSO Online, February 12, 2020. LINK.
- Brendan I. Koerner. Inside the cyberattack that shocked the US Government. Wired, October 23, 2016. LINK.
- William R. Cheswick. An evening with Berferd, in which a cracker is lured, endured, and studied. In Proc. Winter USENIX Conference. San Francisco, CA, January 1992. LINK.
- William R. Cheswick. Back to Berferd. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, 281–286. New York, NY, USA, 2010. ACM. LINK, doi:10.1145/1920261.1920303.
- Andy Greenberg. The untold story of NotPetya, the most devastating cyberattack in history. Wired, August 22, 2018.
- Bellovin, Section 16.4.
- Mandiant. Apt1: exposing one of China's cyber espionage units. White paper, 2013. LINK.
Optional:
- Thomas Rid and Ben Buchanan. Attributing cyber attacks. Journal of Strategic Studies, 38(1-2):4–37, 2015. LINK, arXiv:https://doi.org/10.1080/01402390.2014.977382, doi:10.1080/01402390.2014.977382.
- Jason Healey. Beyond attribution: seeking national responsibility for cyber attacks. January 2012. LINK.
Very optional:
- Cliff Stoll. The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, New York, 1989, A longer, less technical version of Stoll's paper, but worth reading if you're interested in this area.
Tuesday, April 26
Readings:
- Josh Blum, Simon Booth, Brian Chen, Oded Gal, Maxwell Krohn, Julia Len, Karan Lyons, Antonio Marcedone, Mike Maxim, Merry Ember Mou, Jack O'Connor, Surya Rien, Miles Steele, Matthew Green, Lea Kissner, and Alex Stamos. E2E encryption for Zoom meetings. October 29, 2021. Version 3.2. LINK.
- Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan. Dancing on the lip of the volcano: chosen ciphertext attacks on Apple iMessage. In Proceedings of Usenix Security. 2016. LINK.
- Steven M. Bellovin. Zoom security: the good, the bad, and the business model. SMBlog: Steve Bellovin's Blog (blog), April 2, 2020. LINK.
- Steven M. Bellovin. Zoom cryptography and authentication problems. SMBlog: Steve Bellovin's Blog (blog), April 4, 2020. LINK.
- Steven M. Bellovin. Trusting Zoom? SMBlog: Steve Bellovin's Blog (blog), April 6, 2020. LINK.
- Steven M. Bellovin. Is Zoom's server security just as vulnerable as the client side? SMBlog: Steve Bellovin's Blog (blog), April 13, 2020. LINK.
- Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
- Apple pushes new silent updates to address vulnerable Zoom software
- Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install?
- Zoom is a work-from-home privacy disaster waiting to happen
- Windows 10 alert: Zoom client can leak your network login credentials
- Zoom isn’t actually end-to-end encrypted
- The Facts Around Zoom and Encryption for Meetings/Webinars
- A Message to Our Users
- Move Fast & Roll Your Own Crypto
Optional:
- Nicole Perlroth. This is How They Tell Me the World Ends. Bloomsbury Publishing, New York, 2020, Chapter 7.
Thursday, April 28
Homework due:
Note: this class will be conducted as a seminar—come prepared
to discuss the issues.
Readings:
- Nicole Radziwill, Jessica Romano, Diane Shorter, and Morgan C. Benton. The ethics of hacking: should it be taught? CoRR, 2015. LINK, arXiv:1512.02707.
- Gregory Conti and James Caroland. Embracing the Kobayashi Maru: why you should teach your students to cheat. IEEE Security & Privacy, 9(4):48–51, July–August 2011. LINK.
- C. T. Holzer and J. E. Lerums. The ethics of hacking back. In 2016 IEEE Symposium on Technologies for Homeland Security (HST), 1–6. 2016. LINK.
- Dan Goodin. Vigilante botnet infects IoT devices before blackhats can hijack them. Ars Technica, April 19, 2017. LINK.
- Peter Bright. DoJ, FBI set up command-and-control servers, take down botnet. Ars Technica, April 14, 2011. LINK.
- Catalin Cimpanu. Avast and french police take over malware botnet and disinfect 850,000 computers. ZDnet, August 28, 2019. LINK.
- A. M. Matwyshyn, A. Cui, A. D. Keromytis, and S. J. Stolfo. Ethics in security vulnerability research. IEEE Security Privacy, 8(2):67–72, 2010. LINK.
- Sean Gallagher. Maryland bill would outlaw ransomware, keep researchers from reporting bugs. Ars Technica, January 27, 2020. LINK.
- Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro. The computer worm. February 6, 1989. LINK.
- Steven M. Bellovin, Scott O. Bradner, Whitfield Diffie, Susan Landau, and Jennifer Rexford. As simple as possible—but not more so. Communications of the ACM, 2011. Note: this is a shorter version of “Can it really work?”. LINK.
- Michael Levenson. F.B.I. secretly bought Israeli spyware and explored hacking U.S. phones. New York Times, January 28, 2022. LINK.
- Ronen Bergman and Mark Mazzetti. The battle for the world's most powerful cyberweapon. New York Times, January 28, 2022. LINK.
- Craig Timberg. NSO offered `bags of cash' for access to U.S. cell networks, whistleblower claims. Washington Post, February 1, 2022. LINK.
Optional:
- Nicole Perlroth. This is How They Tell Me the World Ends. Bloomsbury Publishing, New York, 2020.
- Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro. The computer worm. February 6, 1989. LINK.
Tuesday, May 10
Final Exam (13:10-16:00)
Location:Take-home exam