CSCE 813 – Internet Security

Spring 2014

 

Weeks 1-4:      Internet Layers Security Solutions: Communication Security

            01/13:  Introduction

                        Interesting Read:

·                         J. Pagliery, Target hack is mostly harmless for consumers, CNN, 01/13/2014, http://money.cnn.com/2014/01/13/technology/security/target-hack/

·                         S. Rosenbllat, Credit card hackers hit Neiman Marcus, CNET, 01/10/2014, http://news.cnet.com/8301-1009_3-57617075-83/credit-card-hackers-hit-neiman-marcus/

·                         T. Luhby, Obamacare website down - and back up, CNN, 12/20/2013,   http://money.cnn.com/2013/12/20/news/economy/obamacare-website/

 

 

01/15: Cyber Attacks and Cryptography Overview

Required Reading:

·         CSCE 522, Lectures 1—4 , http://www.cse.sc.edu/~farkas/csce522-2012/lecture.htm

 

Interesting Read:

·         D. Stuttard, M. Pinto: The Web Application Hacker’s Handbook, Chapter 2

·         The official web site of the Navajo Code Talkers, http://www.navajocodetalkers.org/ , 2012

 

            01/20: No Class

 

01/22:  TCP/IP Overview

Required Reading: 

·                         R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 2

 

Recommended Reading:

·     CISCO: TCP/IP Technology, http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a008014f8a9.shtml

·     P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis of Security Protocols: the CSP Approach, Section 0. Introduction, pages: 1 – 37,  http://www.computing.surrey.ac.uk/personal/st/S.Schneider/books/MASP.pdf

 

01/27:  Security Protocols

Required Reading: 

·                         P.Y.A. Ryan, S.A. Schneider, M.H. Goldsmith, G. Lowe and A.W. Roscoe, The Modelling and Analysis of Security Protocols: the CSP Approach, Section 0. Introduction, pages: 1 – 37,  and section 0.8 protocol vulnerabilities, http://www.computing.surrey.ac.uk/personal/st/S.Schneider/books/MASP.pdf

 

Security Provided at the TCP/IP Layers

02/3:  Network Access Layer Security

Required Reading: 

·                         R. Oppliger, Internet and Intranet Security, Artech House, Ch.13 Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 13

 

Recommended Reading:

·                         CISCOL2TP Security, http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/trash/ftl2tsec.html#wp1021949

·                         Cisco IOS Software Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability, http://www.cisco.com/en/US/products/csa/cisco-sa-20080924-l2tp.html

 

 

02/05:  Network Layer Security 

Reading: 

·                         R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 14

 

 

02/10:               Network Layer Security 2.

Reading: 

·         R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 14

 

            02/12:              NO CLASSES – SNOW CLOSING

 

02/17: Network Layer Security 3.

Reading: 

·         R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 14

 

02/19:  Transport Layer Security

Reading: 

·         R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 15

 

Recommended reading:

·         NIST, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, 2005, http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf

·         Stallings, Network Security Essentials, Third Edition, http://williamstallings.com/NetSec/NetSec3e.html

·         Florian Giesen, Florian Kohlar, and Douglas Stebila. 2013. On the security of TLS renegotiation. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13). ACM, New York, NY, USA, 387-398., http://dl.acm.org/citation.cfm?id=2508859.2516694&coll=DL&dl=ACM&CFID=411422658&CFTOKEN=29190945

 

02/19:  Application Layer Security

            Reading: 

·    R. Oppliger, Internet and Intranet Security, Artech House, Google Book, http://books.google.com/books/about/Internet_and_Intranet_Security.html?id=vtyowiyW9BkC, Chapter 16

 

Recommended reading:

·         Symantec, HOW TO: Use Gmail with PGP Desktop 10 for Windows, 2009, http://www.symantec.com/business/support/index?page=content&id=HOWTO42108

·     D. Gewirtz, If the head of Homeland Security refuses to use email, is she a Luddite?, ZDNet, http://www.zdnet.com/if-the-head-of-homeland-security-refuses-to-use-email-is-she-a-luddite-7000004999/

·     OpenBSD Project, OpenSSH, http://www.openssh.com/

 

            02/26:  Summary of TCP/IP layers security

 

            Interesting read:

·         Latest cybersecurity threat: WiFi virus, Homeland Security News Wire, 02/26/2014, http://www.homelandsecuritynewswire.com/dr20140226-latest-cybersecurity-threat-wifi-virus

 

Application Security

03/03: Web Application (In)security

            Reading: 

·         Chapter 1 from Dafydd Stuttard and Marcus Pinto, The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, http://library.back2hack.cc/books/Hacking/Wiley_-_The_Web_Application_Hackers_Handbook_Discovering_And_Exploiting_[]_(2008)_en.pdf

Reading: 

·         W3C Security for Web Applications, http://www.w3.org/TR/#tr_Security_for_Web_Applications , 2012

·         Web Application Security Consortium, http://www.webappsec.org/  , 2012

 

 

03/05: Web Application (In)security

            Reading: 

·         Chapter 1 from Dafydd Stuttard and Marcus Pinto, The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, http://library.back2hack.cc/books/Hacking/Wiley_-_The_Web_Application_Hackers_Handbook_Discovering_And_Exploiting_[]_(2008)_en.pdf

Interesting read:

          W3C Standards, http://www.w3.org/standards/

          OASIS Web Services Security (WSS) TC, https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

          Google Gruyere Codelab tutorial by Bruce Leban, Mugdha Bendre, and Parisa Tabriz, http://google-gruyere.appspot.com/part1#1__setup

 

03/10:  Spring break

03/12: Spring break

 

03/17: Web Application Technologies

Reading: 

·         Chapter 3 from Dafydd Stuttard and Marcus Pinto, The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, http://library.back2hack.cc/books/Hacking/Wiley_-_The_Web_Application_Hackers_Handbook_Discovering_And_Exploiting_[]_(2008)_en.pdf

Interesting read:

          W3C, 15 Security Considerations of HTTP 1.1, http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html

          OWASP Top 10 Security risks, https://www.owasp.org/index.php/Top_10_2010-Main , 2012

 

03/19:  Midterm Exam

 

03/24:  Service Oriented Architecture and Security

Reading: 

·         For next classes: D. Akhawe, A. Barth, P. Lam, J.C. Mitchell and D. Song, Towards a formal foundation of Web security, Proc. IEEE Symposium on Computer Security Foundations, July 2010.

Interesting read:

·         Layer7 Technologies, XML Firewall, http://www.layer7tech.com/index.php?q=products/xml-firewall&gclid=CKrGtIv9krMCFRKpnQodGUQACg

·         Microsoft, Web Service Security Patterns - Community Technical Preview, http://msdn.microsoft.com/en-us/library/ff648183.aspx

·         T. Earl, SOA Principles, http://www.soaprinciples.com/

 

 

 

03/26: XML, RDF, Workflow Security

            Reading:

·         Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati. 2002. A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. 5, 2 (May 2002), 169-202.  http://dl.acm.org/citation.cfm?id=505590

 

Interesting Read:

·         A. Stoica and C. Farkas, “Secure XML Views,” Proc. 16th IFIP WG11.3 Working Conference on Database and Application Security, 133-146, 2002. http://www.cse.sc.edu/~farkas/publications/c5.pdf

·         Amit Jain and Csilla Farkas. 2006. Secure resource description framework: an access control model. In Proceedings of the eleventh ACM symposium on Access control models and technologies (SACMAT '06). ACM, New York, NY, USA, 121-129., http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.792&rep=rep1&type=pdf

 

 

03/31: Cloud Computing and Security 

            Online presentation by Dr. James Walden, Cloud Computing Security, http://www.youtube.com/watch?v=EeYUhwmagBY

                        Reading:

·         Preliminary slides (if needed): UC Berkeley CS10 Fall 2010 Lecture 20, Cloud Computing with Prof. Armando Fox, http://www.youtube.com/watch?v=MroUlbiKi0U

·         R. Sandhu, et al., Towards a discipline of mission-aware cloud computing, CCSW’10 in Proc. of the 2010 Cloud Computing Workshop, 13-18, 2010., http://dl.acm.org/citation.cfm?id=1866835.1866839&coll=DL&dl=ACM&CFID=131355972&CFTOKEN=22051019

 

Interesting Read:

·         NIST, The NIST Definition of Cloud Computing, csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf, 2011

·         L. Bello, A. Russo, Towards a taint mode for cloud computing web applications, PLAS '12 Proceedings of the 7th Workshop on Programming Languages and Analysis for Security, http://dl.acm.org/citation.cfm?id=2336724&CFID=131355972&CFTOKEN=22051019

·         Publications at the CCSW’11, CCSW’12 workshops

 

 

04/02: Mobile Computing and Security

·         Projects/OWASP Mobile Security Project - Top Ten Mobile Risks, https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks

·         B. Prince, Top 5 Deadliest Mobile Malware Threats Of 2012, http://www.darkreading.com/mobile-security/167901113/security/news/240006056/top-5-deadliest-mobile-malware-threats-of-2012.html

           

Interesting read:

·         A. Gonsalves, Android malware steals location data from mobile devices, CSO Online, http://www.csoonline.com/article/711385/android-malware-steals-location-data-from-mobile-devices , 07/18/2012

 

 

04/07: Trust Management

·         Cho et al., A Survey on Trust Management for Mobile Ad Hoc Networks, IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 13, NO. 4, FOURTH QUARTER 2011, http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5604602

 

Interesting Reading: 

·         Preliminary slides (if needed): First-Order Logic, from Berkley,  Datalog from Ramakrishnan and Gehrke,

·         Charles C. Zhang, Marianne Winslett: Distributed Authorization by Multiparty Trust Negotiation. ESORICS 2008: 282-299

o   Slides, http://www.cs.pitt.edu/~adamlee/courses/cs3525/2009fa/lectures/MTN.pdf

o   Extended manuscript, https://www.ideals.illinois.edu/bitstream/handle/2142/11467/Multiparty%20Trust%20Negotiation%20A%20New%20Approach%20to%20Distributed%20Authorization.pdf?sequence=2

 

 

04/09:  Application software security 1.

 

Reading: 

Chapter 12, 19, 20 from Dafydd Stuttard and Marcus Pinto, The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws,

http://library.back2hack.cc/books/Hacking/Wiley_-_The_Web_Application_Hackers_Handbook_Discovering_And_Exploiting_[]_(2008)_en.pdf

 

 

 

04/14:  Application software security 2.

 

Reading: 

Chapter 15, 18 from Dafydd Stuttard and Marcus Pinto, The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws,

http://library.back2hack.cc/books/Hacking/Wiley_-_The_Web_Application_Hackers_Handbook_Discovering_And_Exploiting_[]_(2008)_en.pdf

 

04/16: Student Presentations

PLEASE UPLOAD YOUR PRESENTATION VIA DROPBOX BY 11 AM 4/16/2014

1.      Mouiad Al Wahah  - IP Traceback in Cloud Computing Through Deterministic Flow Marking

a.       Reading: IP traceback, http://en.wikipedia.org/wiki/IP_traceback 

2.      Sujan Pakala  - Securing the BYOD Experience

a.       Reading: Keiko Hashizume, David G Rosado, Eduardo Fernández-Medina and Eduardo B Fernandez, “An analysis of security issues for cloud computing,” Journal of Internet Services and Applications 2013, 4:5, http://www.jisajournal.com/content/4/1/5/abstract

 

04/21: Student Presentations

1.      Vamshi Potu – Security for Cloud Computing

a.       Reading: Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM conference on Computer and communications security (CCS '09). ACM, New York, NY, USA, 199-212., http://dl.acm.org/citation.cfm?id=1653687

2.      Surya Bhatt  -- Stock Market Prediction using Data Regression Analysis and Tweets’ Sentiment Analysis

a.       Reading: S. Tan et al., Interpreting the Public Sentiment Variations on Twitter, IEEE TKDE, in print, http://www.computer.org/csdl/trans/tk/preprint/06560079.pdf

3.      Hatim Alsuwat and Sami Alsuwat    – How to Measure Usability and Improve Security of Computer System

a.       Jens Gerken, Hans-Christian Jetter, Michael Zöllner, Martin Mader, and Harald Reiterer. 2011. The concept maps method as a tool to evaluate the usability of APIs. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '11). ACM, New York, NY, USA, 3373-3382., http://dl.acm.org/citation.cfm?id=1979445

 

04/23:  Student Presentations

1.      Ahmed Alghamdi  XML Rewrite Attacks in The Context of SOAP Messages

a.       Reading: Smriti Kumar Sinha and Azzedine Benameur. 2008. A formal solution to rewriting attacks on SOAP messages. In Proceedings of the 2008 ACM workshop on Secure web services (SWS '08). ACM, New York, NY, USA, 53-60., http://dl.acm.org/citation.cfm?id=1456501

2.      Aniqua Baset  Zigbee-Based Smart Meter Networks 

a.       Reading: ] Patrick Melaragno, Anthony, et al. "Securing the ZigBee Protocol in the Smart Grid." Computer 45.4 (2012): 92-94., http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6178132

3.      Emad Alsuwat – Practical Concurrency Support for Web Service Transactions

a.       Reading: Le Gao, Susan Darling Urban, Janani Ramachandran: A survey of transactional issues for Web Service composition and recovery, IJWGS 7(4): 331-356 (2011), http://dl.acm.org/citation.cfm?id=2093450

 

04/28: Student Presentations

1.      Theppatorn Rhujittawiwat – Spam image detection based on geographic area

a.       Reading: Bhaskar Mehta, Saurabh Nangia, Manish Gupta, and Wolfgang Nejdl. 2008. Detecting image spam using visual features and near duplicate detection. In Proceedings of the 17th international conference on World Wide Web (WWW '08). ACM, New York, NY, USA, 497-506., http://dl.acm.org/citation.cfm?id=1367565

 

Overview of CSCE 813

 

05/05: Final exam:  take home, due on May 5, 2014 4:00 pm via dropbox or hard copy

 

 

·