Network Security and Privacy

Course description

Reference

CS 378 - Network Security and Privacy (54315)

Spring 2009

Reference materials

Textbooks

Network Security (2nd edition) by Kaufman, Perlman, and Speciner
Security Engineering by Anderson
The Shellcoder's Handbook by Koziol et al.
The Art of Intrusion by Mitnick and Simon
Network Security Essentials (3rd edition) by Stallings

General principles and techniques

Reflections on Trusting Trust (Ken Thompson's Turing Award lecture)
Why Cryptosystems Fail by Anderson
Secure Programming for Unix and Linux HOWTO by Wheeler
Improving the Security of Your Site by Breaking Into It by Farmer and Venema
Prudent Engineering Practice for Cryptographic Protocols by Abadi and Needham

Buffer overflow

Smashing The Stack for Fun and Profit by Aleph One
Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses by Chien and Ször
Exploiting Format String Vulnerabilities by scut / team teso
Basic Integer Overflows by blexim
w00w00 on Heap Overflows by Conover and w00w00 security team
Once Upon a free() by anonymous
The Tao of Windows Buffer Overflow as taught by DilDog
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Cowan et al.
Bypassing StackGuard and StackShield by Bulba and Kil3r
Defeating the Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by Litchfield
Bypassing Browser Memory Protection by Sotirov and Dowd
Leveraging the ActionScript Virtual Machine by Dowd

Web security

Dos and Don'ts of Client Authentication on the Web by Fu, Sit, Smith, and Feamster
Cross Site Scripting Explained by Klein
Advanced SQL Injection in SQL Server Applications by Anley
XSS (Cross Site Scripting) Cheat Sheet by RSnake
MySpace Worm
Cross-Site Request Forgeries: Exploitation and Prevention by Zeller and Felten
Robust Defenses for Cross-Site Request Forgery by Barth, Jackson, and Mitchell
Beware of Finer-Grained Origins by Jackson and Barth
Securing Frame Communication in Browsers by Barth, Jackson, and Mitchell
Protecting Browser State from Web Privacy Attacks by Jackson, Bortz, Boneh, and Mitchell

Spam and phishing

Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures by Emigh
Drive-By Pharming by Stamm, Ramzan, and Jakobsson
Behind Phishing: An Examination of Phisher Modi Operandi by McGrath and Gupta
An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants by Franklin, Paxson, Perrig, and Savage
Understanding the Network-Level Behavior of Spammers by Ramachandran and Feamster
On the Spam Campaign Trail by Kreibich et al.
True DDoS Extortion Story by Berinato
Social Phishing by Jagatic, Johnson, Jakobsson, and Menczer
A Usability Study and Critique of Two Password Managers by Chiasson, van Oorschot, and Biddle
You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings by Egelman, Cranor, and Hong

Botnets, worms, viruses

Hunting for Metamorphic by Ször and Ferrie
The Ghost In The Browser: Analysis of Web-based Malware by Provos et al.
A Crawler-based Study of Spyware on the Web by Moshchuk, Bragin, Gribble, and Levy
Malware Prevalence in the KaZaA File-Sharing Network by Shin, Jung, and Balakrishnan
A Taxonomy of Computer Worms by Weaver, Paxson, Staniford, and Cunningham
Slammed! An Inside View of the Worm That Crashed the Internet in 15 Minutes by Boutin
Search Worms by Provos, McClain, and Wang
Myfip Intellectual Property Theft Worm Analysis by Stewart
Outwitting the Witty Worm by Kumar, Paxson, and Weaver
An Inside Look at Botnets by Barford and Yegneswaran
A Multifaceted Approach to Understanding the Botnet Phenomenon by Abu Rajab, Zarfoss, Monrose, and Terzis
Know Your Enemy: Tracking Botnets by Bacher, Holz, Kotter, and Wicherski
A Multi-perspective Analysis of the Storm (Peacomm) Worm by Porras, Saidi, and Yegneswaran
An Analysis of Conficker by Porras, Saidi, and Yegneswaran

Biometrics and graphical passwords

Impact of Artificial "Gummy" Fingers on Fingerprint Systems by Matsumoto, Matsumoto, Yamada, and Hoshino
Graphical Passwords: A Survey by Suo, Zhu, and Owen
Inkblot Authentication by Stubblefield and Simon
On User Choice in Graphical Password Schemes by Davis, Monrose, and Reiter

Kerberos

Designing an Authentication System: a Dialogue in Four Scenes by Bryant
Limitations of the Kerberos Authentication System by Bellovin and Merritt

Firewalls and intrusion detection

Firewall Gateways by Cheswick and Bellovin
Snort
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Ptacek and Newsham

Security problems in TCP/IP and DNS

TCP/IP Security (survey) by Chambers, Dolske, and Iyer
Security Problems in the TCP/IP Protocol Suite by Bellovin
A Look Back at "Security Problems in the TCP/IP Protocol Suite" by Bellovin
IP Spoofing Demystified by daemon9
SYN cookies by Bernstein
Protecting Browsers from DNS Rebinding Attacks by Jackson et al.
Reliable DNS Forgery in 2008
Black Ops 2008: It's The End Of The Cache As We Know It by Kaminsky

Wireless security

(In)Security of the WEP algorithm (overview)
- Intercepting Mobile Communications: The Insecurity of 802.11 by Borisov, Goldberg, and Wagner
- Your 802.11 Wireless Network Has No Clothes by Arbaugh, Shankar, and Wan
Using the Fluhrer, Mantin, and Shamir Attack to Break WEP by Stubblefield, Ioannidis, and Rubin
Survey of GSM security by Pesonen

RFID security and privacy

RFID Privacy and Security (RSA Labs)
RFID Privacy Workshop: Concerns, Consensus, and Questions
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems by Weis, Sarma, Rivest, and Engels
Authenticating Pervasive Devices with Human Protocols by Juels and Weis
The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy by Juels, Rivest, and Szydlo