CSCE 813 – Internet
Security
Spring 2014
Weeks 1-4: Internet Layers Security Solutions: Communication Security
01/13: Introduction
Interesting Read:
01/15: Cyber Attacks and Cryptography Overview
Required Reading:
· CSCE 522, Lectures 1—4 , http://www.cse.sc.edu/~farkas/csce522-2012/lecture.htm
Interesting Read:
· D. Stuttard, M. Pinto: The Web Application Hacker’s Handbook, Chapter 2
· The official web site of the Navajo Code Talkers, http://www.navajocodetalkers.org/ , 2012
01/20: No Class
01/22: TCP/IP Overview
Required Reading:
·
R. Oppliger,
Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC,
Chapter 2
Recommended Reading:
· CISCO: TCP/IP Technology, http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a008014f8a9.shtml
· P.Y.A. Ryan, S.A. Schneider,
M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis
01/27: Security Protocols
Required Reading:
·
P.Y.A. Ryan, S.A.
Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis of Security Protocols: the CSP Approach,
Section 0. Introduction, pages: 1 – 37, and section 0.8 protocol
vulnerabilities, http://www.computing.surrey.ac.uk/personal/st/S.Schneider/books/MASP.pdf
Security Provided at the TCP/IP Layers
02/3: Network Access Layer Security
Required Reading:
·
R. Oppliger,
Internet and Intranet Security, Artech House, Ch.13
Recommended Reading:
·
CISCOL2TP Security, http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/trash/ftl2tsec.html#wp1021949
02/05: Network Layer Security
Reading:
·
R. Oppliger, Internet
and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC,
Chapter 14
02/10: Network Layer Security 2.
Reading:
· R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC,
Chapter 14
02/12: NO
CLASSES – SNOW CLOSING
02/17: Network
Layer Security 3.
Reading:
· R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC,
Chapter 14
02/19: Transport Layer Security
Reading:
·
R. Oppliger,
Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC,
Chapter 15
Recommended
reading:
·
NIST, Guidelines for
the Selection and Use of Transport Layer Security (TLS) Implementations, 2005, http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf
·
Stallings, Network
Security Essentials, Third Edition, http://williamstallings.com/NetSec/NetSec3e.html
·
Florian Giesen, Florian
Kohlar, and Douglas Stebila.
2013. On the security of TLS renegotiation. In
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications
security (CCS '13). ACM, New York, NY, USA, 387-398., http://dl.acm.org/citation.cfm?id=2508859.2516694&coll=DL&dl=ACM&CFID=411422658&CFTOKEN=29190945
02/19: Application Layer Security
Reading:
· R. Oppliger,
Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC,
Chapter 16
Recommended
reading:
·
Symantec, HOW TO: Use
Gmail with PGP Desktop 10 for Windows, 2009, http://www.symantec.com/business/support/index?page=content&id=HOWTO42108
· D. Gewirtz, If
the head of Homeland Security refuses to use email, is she a Luddite?, ZDNet, http://www.zdnet.com/if-the-head-of-homeland-security-refuses-to-use-email-is-she-a-luddite-7000004999/
· OpenBSD Project, OpenSSH, http://www.openssh.com/
02/26: Summary of TCP/IP layers security
Interesting
read:
·
Latest cybersecurity threat: WiFi virus, Homeland Security News Wire, 02/26/2014, http://www.homelandsecuritynewswire.com/dr20140226-latest-cybersecurity-threat-wifi-virus
Application
Security
03/03: Web Application (In)security
Reading:
·
Chapter 1 from Dafydd Stuttard and
Marcus Pinto, The Web Application Hacker's Handbook: Finding and Exploiting
Security Flaws, http://library.back2hack.cc/books/Hacking/Wiley_-_The_Web_Application_Hackers_Handbook_Discovering_And_Exploiting_[]_(2008)_en.pdf
Reading:
·
W3C Security for
Web Applications, http://www.w3.org/TR/#tr_Security_for_Web_Applications
, 2012
·
Web Application
Security Consortium, http://www.webappsec.org/ , 2012
03/05: Web Application (In)security
Reading:
·
Chapter 1 from Dafydd Stuttard and
Marcus Pinto, The Web Application Hacker's Handbook: Finding and Exploiting
Security Flaws, http://library.back2hack.cc/books/Hacking/Wiley_-_The_Web_Application_Hackers_Handbook_Discovering_And_Exploiting_[]_(2008)_en.pdf
Interesting read:
•
W3C Standards, http://www.w3.org/standards/
•
OASIS Web
Services Security (WSS) TC, https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
•
Google Gruyere Codelab tutorial by Bruce Leban, Mugdha Bendre, and Parisa Tabriz, http://google-gruyere.appspot.com/part1#1__setup
03/10: Spring break
03/12: Spring break
03/17: Web Application Technologies
Reading:
·
Chapter 3 from Dafydd Stuttard and
Marcus Pinto, The Web Application Hacker's Handbook: Finding and Exploiting
Security Flaws, http://library.back2hack.cc/books/Hacking/Wiley_-_The_Web_Application_Hackers_Handbook_Discovering_And_Exploiting_[]_(2008)_en.pdf
Interesting read:
•
W3C, 15 Security
Considerations of HTTP 1.1, http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html
•
OWASP Top 10
Security risks, https://www.owasp.org/index.php/Top_10_2010-Main
, 2012
03/19: Midterm Exam
03/24: Service Oriented Architecture and Security
Reading:
· For next classes: D. Akhawe, A. Barth, P. Lam, J.C. Mitchell and D. Song, Towards a formal foundation of Web security, Proc. IEEE Symposium on Computer Security Foundations, July 2010.
Interesting read:
· Layer7 Technologies, XML Firewall, http://www.layer7tech.com/index.php?q=products/xml-firewall&gclid=CKrGtIv9krMCFRKpnQodGUQACg
· Microsoft, Web Service Security Patterns - Community Technical Preview, http://msdn.microsoft.com/en-us/library/ff648183.aspx
· T. Earl, SOA Principles, http://www.soaprinciples.com/
03/26: XML, RDF, Workflow Security
Reading:
·
Ernesto Damiani, Sabrina De Capitani di Vimercati,
Stefano Paraboschi, and Pierangela
Samarati. 2002. A fine-grained access control system
for XML documents. ACM Trans. Inf. Syst. Secur. 5,
2 (May 2002), 169-202. http://dl.acm.org/citation.cfm?id=505590
Interesting
Read:
·
A. Stoica and C. Farkas, “Secure XML
Views,” Proc. 16th IFIP WG11.3 Working Conference on Database and
Application Security, 133-146, 2002. http://www.cse.sc.edu/~farkas/publications/c5.pdf
·
Amit Jain and Csilla Farkas. 2006. Secure resource description
framework: an access control model. In Proceedings of the eleventh ACM
symposium on Access control models and technologies (SACMAT '06). ACM,
New York, NY, USA, 121-129., http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.792&rep=rep1&type=pdf
03/31: Cloud Computing and Security
Online presentation by Dr. James Walden, Cloud Computing Security, http://www.youtube.com/watch?v=EeYUhwmagBY
Reading:
· Preliminary slides (if needed): UC Berkeley CS10 Fall 2010 Lecture 20, Cloud Computing with Prof. Armando Fox, http://www.youtube.com/watch?v=MroUlbiKi0U
· R. Sandhu, et al., Towards a discipline of mission-aware cloud computing, CCSW’10 in Proc. of the 2010 Cloud Computing Workshop, 13-18, 2010., http://dl.acm.org/citation.cfm?id=1866835.1866839&coll=DL&dl=ACM&CFID=131355972&CFTOKEN=22051019
Interesting
Read:
· NIST, The NIST Definition of Cloud Computing, csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf, 2011 · L. Bello, A. Russo, Towards a taint mode for cloud computing web applications, PLAS '12 Proceedings of the 7th Workshop on Programming Languages and Analysis for Security, http://dl.acm.org/citation.cfm?id=2336724&CFID=131355972&CFTOKEN=22051019 · Publications at the CCSW’11, CCSW’12 workshops |
04/02: Mobile Computing and Security
· Projects/OWASP Mobile Security Project - Top Ten Mobile Risks, https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
· B. Prince, Top 5 Deadliest Mobile Malware Threats Of 2012, http://www.darkreading.com/mobile-security/167901113/security/news/240006056/top-5-deadliest-mobile-malware-threats-of-2012.html
Interesting
read:
· A. Gonsalves, Android malware steals location data from mobile devices, CSO Online, http://www.csoonline.com/article/711385/android-malware-steals-location-data-from-mobile-devices , 07/18/2012
04/07: Trust Management
· Cho et al., A Survey on Trust Management for Mobile Ad Hoc Networks, IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 13, NO. 4, FOURTH QUARTER 2011, http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5604602
Interesting Reading:
· Charles C. Zhang, Marianne Winslett: Distributed Authorization by Multiparty Trust Negotiation. ESORICS 2008: 282-299
o Slides, http://www.cs.pitt.edu/~adamlee/courses/cs3525/2009fa/lectures/MTN.pdf
o Extended manuscript, https://www.ideals.illinois.edu/bitstream/handle/2142/11467/Multiparty%20Trust%20Negotiation%20A%20New%20Approach%20to%20Distributed%20Authorization.pdf?sequence=2
04/09: Application
software security 1.
Reading:
Chapter 12, 19, 20 from Dafydd Stuttard and Marcus Pinto, The Web
Application Hacker's Handbook: Finding and Exploiting Security Flaws,
04/14: Application
software security 2.
Reading:
Chapter 15, 18 from Dafydd Stuttard and Marcus Pinto, The Web
Application Hacker's Handbook: Finding and Exploiting Security Flaws,
04/16: Student Presentations
PLEASE UPLOAD YOUR PRESENTATION VIA DROPBOX BY 11 AM 4/16/2014
1.
Mouiad Al
Wahah - IP
Traceback in Cloud Computing Through Deterministic
Flow Marking
a. Reading: IP traceback,
http://en.wikipedia.org/wiki/IP_traceback
2.
Sujan Pakala - Securing the BYOD Experience
a. Reading: Keiko Hashizume, David G Rosado, Eduardo Fernández-Medina
and Eduardo B Fernandez, “An analysis of security issues for cloud computing,”
Journal of Internet Services and Applications 2013, 4:5, http://www.jisajournal.com/content/4/1/5/abstract
04/21: Student Presentations
1.
Vamshi Potu – Security for
Cloud Computing
a. Reading: Thomas Ristenpart, Eran Tromer, Hovav Shacham,
and Stefan Savage. 2009. Hey, you, get off of my cloud: exploring information
leakage in third-party compute clouds. In Proceedings of the 16th ACM
conference on Computer and communications security (CCS '09). ACM, New York,
NY, USA, 199-212., http://dl.acm.org/citation.cfm?id=1653687
2.
Surya Bhatt -- Stock Market Prediction using Data
Regression Analysis and Tweets’ Sentiment Analysis
a. Reading: S. Tan et al.,
Interpreting the Public Sentiment Variations on Twitter, IEEE TKDE, in print, http://www.computer.org/csdl/trans/tk/preprint/06560079.pdf
3.
Hatim Alsuwat and Sami Alsuwat – How to Measure Usability and Improve
Security of Computer System
a. Jens Gerken,
Hans-Christian Jetter, Michael Zöllner,
Martin Mader, and Harald Reiterer. 2011. The concept maps method as a tool to
evaluate the usability of APIs. In Proceedings of the SIGCHI Conference on
Human Factors in Computing Systems (CHI '11). ACM, New York, NY, USA,
3373-3382., http://dl.acm.org/citation.cfm?id=1979445
04/23: Student Presentations
1.
Ahmed Alghamdi
– XML Rewrite Attacks in The Context of
SOAP Messages
a. Reading: Smriti
Kumar Sinha and Azzedine Benameur. 2008. A formal solution to rewriting attacks on
SOAP messages. In Proceedings of the 2008 ACM workshop on Secure
web services (SWS '08). ACM, New York, NY, USA, 53-60., http://dl.acm.org/citation.cfm?id=1456501
2.
Aniqua
Baset – Zigbee-Based Smart Meter Networks
a. Reading: ]
Patrick Melaragno, Anthony, et al. "Securing the
ZigBee Protocol in the Smart Grid." Computer
45.4 (2012): 92-94., http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6178132
3.
Emad Alsuwat – Practical Concurrency Support for Web Service
Transactions
a. Reading: Le Gao,
Susan Darling Urban, Janani Ramachandran:
A survey of transactional issues for Web Service composition and recovery,
IJWGS 7(4): 331-356 (2011), http://dl.acm.org/citation.cfm?id=2093450
04/28: Student Presentations
1.
Theppatorn Rhujittawiwat –
Spam image detection based on geographic area
a. Reading: Bhaskar
Mehta, Saurabh Nangia,
Manish Gupta, and Wolfgang Nejdl. 2008. Detecting
image spam using visual features and near duplicate detection. In Proceedings
of the 17th international conference on World Wide Web (WWW '08). ACM, New
York, NY, USA, 497-506., http://dl.acm.org/citation.cfm?id=1367565
Overview of CSCE 813
05/05: Final exam:
take home, due on May 5, 2014 4:00 pm via dropbox
or hard copy
·