Spring 2014: Network Security and Privacy (53870)

Lectures

Tue and Thu: 11a-12:30p
PAR 203

Instructor

Vitaly Shmatikov
Email: shmat AT cs
Office: GDC 6.812
Office hours: Tue 1-2p
Phone: 512-471-9530

TA

Oliver Jensen
Email: ojensen AT cs
Office: GDC 6.818A
Office hours: Wed 11a-12n

Books

• Network Security (2nd edition) by Kaufman, Perlman, and Speciner -- required textbook!
• Security Engineering by Anderson
• The Art of Intrusion by Mitnick and Simon
• The Shellcoder's Handbook by Koziol et al.
• Secure Programming for Unix and Linux HOWTO by Wheeler
• Network Security Essentials by Stallings

General principles

• Reflections on Trusting Trust by Thompson (Turing Award lecture)
• Why Cryptosystems Fail by Anderson

Passwords, security questions, biometrics

• The True Cost of Unusable Password Policies: Password Use in the Wild by Inglesant and Sasse
• Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook by Rabkin
• Messin' with Texas: Deriving Mother's Maiden Names Using Public Records by Griffith and Jakobsson
• On User Choice in Graphical Password Schemes by Davis, Monrose, and Reiter
• Impact of Artificial "Gummy" Fingers on Fingerprint Systems by Matsumoto, Matsumoto, Yamada, and Hoshino

Phishing

• Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures by Emigh
• Social Phishing by Jagatic, Johnson, Jakobsson, and Menczer
• You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings by Egelman, Cranor, and Hong
• Stronger Password Authentication Using Browser Extensions by Ross et al.
• A Usability Study and Critique of Two Password Managers by Chiasson, van Oorschot, and Biddle

Web security

• Browser Security Handbook by Zalewski
• Beware of Finer-Grained Origins by Jackson and Barth
• Rootkits for JavaScript Environments by Adida, Barth, and Jackson
• Drive-By Pharming by Stamm, Ramzan, and Jakobsson
• Dos and Don'ts of Client Authentication on the Web by Fu, Sit, Smith, and Feamster
• Busting Frame Busting by Rydstedt, Bursztein, Boneh, and Jackson
• Next Generation Clickjacking by Stone
• Clickjacking: Attacks and Defenses by Huang et al.
• Cross-Site Request Forgery by Barth, Jackson, and Mitchell
• Advanced SQL Injection in SQL Server Applications by Anley
• Cross Site Scripting Explained by Klein
• XSS Filter Evasion Cheat Sheet
• Postcards from the Post-XSS World by Zalewski
• NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications by Bisht et al.
• How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores by Wang, Chen, Wang, and Qadeer
• Third-Party Web Tracking: Policy and Technology by Mayer and Mitchell
• Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting by Nikiforakis et al.

Stream ciphers used badly

• CSS Tutorial by Kesden
• Security of the WEP algorithm by Borisov, Goldberg, and Wagner
• Dismantling MIFARE Classic by Garcia et al.
• Wirelessly Pickpocketing a Mifare Classic Card by Garcia, van Rossum, Verdult, and Schreur

Memory corruption attacks

• Smashing The Stack for Fun and Profit by Aleph One
• Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses by Chien and Szor
• w00w00 on Heap Overflows by Conover and w00w00 security team
• Vudo - An Object Superstitiously Believed to Embody Magical Powers by Kaempf
• Once Upon a free() by anonymous
• Exploiting Format String Vulnerabilities by scut / team teso
• Basic Integer Overflows by blexim
• Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Cowan et al.
• Bypassing Browser Memory Protection by Sotirov and Dowd
• Leveraging the ActionScript Virtual Machine by Dowd
• Heap Feng Shui in JavaScript by Sotirov
• Interpreter Exploitation by Blazakis
• Return-Oriented Programming by Roemer, Buchanan, Shacham, and Savage

Viruses, rootkits, trojans, worms, botnets

• Hunting for Metamorphic by Szor and Ferrie
• Slammed! An Inside View of the Worm That Crashed the Internet in 15 Minutes by Boutin
• Lessons from the Sony CD DRM Episode by Halderman and Felten
• Global Energy Cyberattacks: "Night Dragon" by McAfee
• Search Worms by Provos, McClain, and Wang
• Your Botnet is My Botnet: Analysis of a Botnet Takeover by Stone-Gross et al.
• A Multi-perspective Analysis of the Storm (Peacomm) Worm by Porras, Saidi, and Yegneswaran
• An Analysis of Conficker by Porras, Saidi, and Yegneswaran
• Stuxnet Dossier by Falliere, O Murchu, and Chien

Spam

• Understanding the Network-Level Behavior of Spammers by Ramachandran and Feamster
• On the Spam Payment Trail - interview with Savage
• Click Trajectories: End-to-End Analysis of the Spam Value Chain by Levchenko et al.

Firewalls and intrusion detection

• Firewall Gateways by Cheswick and Bellovin
• Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Ptacek and Newsham
• Intrusion Detection via Static Analysis by Wagner and Dean
• Outwitting the Witty Worm by Kumar, Paxson, and Weaver

SSL and certificates

• MD5 Considered Harmful Today: Creating a Rogue CA Certificate by Sotirov et al.
• New Tricks for Defeating SSL in Practice by Moxie
• More Tricks for Defeating SSL in Practice by Moxie