Spring 2012: Network Security and Privacy (53135)

Lectures

Tue and Thu: 2-3:15pm
BUR 130

Instructor

Vitaly Shmatikov
Email: shmat AT cs
Office: CSA 1.114
Phone: 471-9530
Office hours: Tue 3:30-4:30pm

TA

Jimmy Yang
Email: jyang AT cs
Office: PAI 5.38, desk #5
Office hours: Wed 2-4pm

Books

• Network Security (2nd edition) by Kaufman, Perlman, and Speciner -- required textbook!
• Security Engineering by Anderson
• The Art of Intrusion by Mitnick and Simon
• The Shellcoder's Handbook by Koziol et al.
• Secure Programming for Unix and Linux HOWTO by Wheeler
• Network Security Essentials by Stallings

General principles and techniques

• Reflections on Trusting Trust by Thompson (Turing Award lecture)
• Why Cryptosystems Fail by Anderson
• Improving the Security of Your Site by Breaking Into It by Farmer and Venema

Security questions, biometrics, graphical passwords

• Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook by Rabkin
• Messin' with Texas: Deriving Mother's Maiden Names Using Public Records by Griffith and Jakobsson
• On User Choice in Graphical Password Schemes by Davis, Monrose, and Reiter
• Impact of Artificial "Gummy" Fingers on Fingerprint Systems by Matsumoto, Matsumoto, Yamada, and Hoshino

Phishing

• Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures by Emigh
• Behind Phishing: An Examination of Phisher Modi Operandi by McGrath and Gupta
• Social Phishing by Jagatic, Johnson, Jakobsson, and Menczer
• You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings by Egelman, Cranor, and Hong
• Stronger Password Authentication Using Browser Extensions by Ross et al.
• A Usability Study and Critique of Two Password Managers by Chiasson, van Oorschot, and Biddle

Web security

• Dos and Don'ts of Client Authentication on the Web by Fu, Sit, Smith, and Feamster
• Beware of Finer-Grained Origins by Jackson and Barth
• Next Generation Clickjacking by Stone
• Busting Frame Busting by Rydstedt, Bursztein, Boneh, and Jackson
• Cross-Site Request Forgeries: Exploitation and Prevention by Zeller and Felten
• Cross-Site Request Forgery by Barth, Jackson, and Mitchell
• Advanced SQL Injection in SQL Server Applications by Anley
• Cross Site Scripting Explained by Klein
• XSS (Cross Site Scripting) Cheat Sheet by RSnake
• Regular Expressions Considered Harmful in Client-Side XSS Filters by Bates, Barth, and Jackson
• The Ghost In The Browser: Analysis of Web-based Malware by Provos et al.
• A Crawler-based Study of Spyware on the Web by Moshchuk, Bragin, Gribble, and Levy
• Drive-By Pharming by Stamm, Ramzan, and Jakobsson

Stream ciphers used badly

• CSS Tutorial by Kesden
• Security of the WEP algorithm by Borisov, Goldberg, and Wagner
• Dismantling MIFARE Classic by Garcia et al.
• Wirelessly Pickpocketing a Mifare Classic Card by Garcia, van Rossum, Verdult, and Schreur

Memory corruption attacks

• Smashing The Stack for Fun and Profit by Aleph One
• Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses by Chien and Szor
• w00w00 on Heap Overflows by Conover and w00w00 security team
• Vudo - An Object Superstitiously Believed to Embody Magical Powers by Kaempf
• Once Upon a free() by anonymous
• Exploiting Format String Vulnerabilities by scut / team teso
• Basic Integer Overflows by blexim
• Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Cowan et al.
• Defeating the Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by Litchfield
• Bypassing Browser Memory Protection by Sotirov and Dowd
• Leveraging the ActionScript Virtual Machine by Dowd
• Heap Feng Shui in JavaScript by Sotirov
• Interpreter Exploitation by Blazakis
• Return-Oriented Programming by Roemer, Buchanan, Shacham, and Savage

Viruses, rootkits, trojans, worms, botnets

• Hunting for Metamorphic by Szor and Ferrie
• Slammed! An Inside View of the Worm That Crashed the Internet in 15 Minutes by Boutin
• Myfip Intellectual Property Theft Worm Analysis by Stewart
• Lessons from the Sony CD DRM Episode by Halderman and Felten
• Global Energy Cyberattacks: "Night Dragon" by McAfee
• Search Worms by Provos, McClain, and Wang
• An Inside Look at Botnets by Barford and Yegneswaran
• Know Your Enemy: Tracking Botnets by Bacher, Holz, Kotter, and Wicherski
• Your Botnet is My Botnet: Analysis of a Botnet Takeover by Stone-Gross et al.
• A Multi-perspective Analysis of the Storm (Peacomm) Worm by Porras, Saidi, and Yegneswaran
• An Analysis of Conficker by Porras, Saidi, and Yegneswaran
• Stuxnet Dossier by Falliere, O Murchu, and Chien

Spam

• Understanding the Network-Level Behavior of Spammers by Ramachandran and Feamster
• On the Spam Payment Trail - interview with Savage
• Click Trajectories: End-to-End Analysis of the Spam Value Chain by Levchenko et al.

Firewalls and intrusion detection

• Firewall Gateways by Cheswick and Bellovin
• Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Ptacek and Newsham
• Intrusion Detection via Static Analysis by Wagner and Dean
• Outwitting the Witty Worm by Kumar, Paxson, and Weaver

SSL and certificates

• MD5 Considered Harmful Today: Creating a Rogue CA Certificate by Sotirov et al.
• New Tricks for Defeating SSL in Practice by Moxie
• More Tricks for Defeating SSL in Practice by Moxie