Hour 1: Definitions and Goals of Computer Security. Policies and Perimeters. What is a security policy? Who writes it? What does it include? What does it not include? Perimeter definition and Risk assessment. Attack classification. Examination of some sample policies. Discussion of security incidents. Formulation of a security policy for the class website. Military vs. Commercial objectives. Role of Audit and verification. Codes of Ethics.
Hour 2: Understanding Privacy: data disclosure, fair information practices.
Part 2: Write a 950-word essay describing a security incident in which you were personally involved. Be sure to include relevant details including what happened, the outcome, lessons learned, and how the organization recovered. Ideally the incident should involve computer security, but if you cannot think of one, then just pick any security incident --- for example, a theft at school or a case of cheating. Submit online before class on Tuesday.
Web Security, Privacy & Commerce:
ACM Code of Ethics
Chapter 5 (pp. 33-44), "Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook," Computer Security Resource Center (CSRC), National Institute of Standards and Technology, 1996. Download from http://csrc.nist.gov/publications/nistpubs/800-12/
NHS patient privacy? What patient privacy! | The Register (at http://www.theregister.co.uk/content/archive/29282.html)
Electronic Communications Privacy Act of 1986
Children's Online Privacy Protection Act of 1998 (COPPA)
HIPAA Privacy Rule and It's Impacts on Research
What makes interfaces good and bad. Affordances. User models Information hidden in the user interface. Why the web is not a good model for understanding usability, security and privacy. Refer links. Web logfiles and cookies. Google.
Assignment #2: Read the privacy policies for Amazon.com, a website belonging to a federal agency, a website belonging to a university, and one other organization. Write an unbiased 3-page memo comparing the features of each, taking into account the requirements of COPPA, ECPA, and other privacy-related legislation. Do not present your opinion.
Pixelcentric Interface Hall of Shame (at http://pixelcentric.net/x-shame/)
Hour 1: Locks and master keys. Tempest. Soft tempest. Optical Tempest.
Hour 2: Information left on hard drives.
Obtain a USB flash device from yourself or a friend. Image the device's memory and write a 3 page sanitized report about what you find. Be sure to discuss the tools you used, the files, deleted files, and data in the slack space. If the USB device that you have is not sufficiently interesting, or if you are unable to find one that you can image, you may use one of the images from the class website.
You will have 2 weeks to work on this Assignment, but you should send a 1-paragraph status report to the course instructor by the end of this week
Three images have been posted to the class website:
Kuhn, Markus G., Anderson, Ross, "Soft Tempest: Hidden Data Transmissions Using Electromagnetic Emanations, David Aucsmith (Ed.): Information Hiding 1998, LNCS 1525, pp. 124-142, 1998.
Kuhn, Markus, G., Optical Time-Domain Eavesdropping Risks of CRT Displays, Proceedings 2002 IEEE Symposium on Security and Privacy, 12-15 May 2002, Berkeley, CA., pp. 3-18. [FAQ]
Loughry, Joe., Umphress, D., "Information Leakage from Optical Emanations, ACM Transactions on Information System Security, Vol 5, No 3., August 2002.
Garfinkel., S., Shelat, A., Remembrance of Data Passed: A Study of Disk Sanitization Practices, IEEE Security and Privacy, January 2003.
Robinson, Sara, Master-Keyed Mechanical Locks Fall to Cryptographic Attack, SIAM News, Volume 36, Number 2, 2003.
"Engineering and Design - Electromagnetic Pulse (EMP) and Tempest Protection for Facilities", EP 1110-3-2, 31 December 1990.
Politrix Tempest Archive
The Complete, Unofficial TEMPEST Information Page,
Ross Anderson's Home Page (at http://www.cl.cam.ac.uk/users/rja14/)
Markus Kuhn’s home page (at http://www.cl.cam.ac.uk/~mgk25/)
The Coroner's Toolkit (TCT) (at http://www.porcupine.org/forensics/tct.html)
Brian Carrier: Digital Forensics (at http://www.cerias.purdue.edu/homes/carrier/forensics/)
The Sleuth Kit & Autopsy: Forensics Tools for Linux and other Unixes (at http://www.sleuthkit.org/)
Hour 2: Defeating the standard model. Viruses, Worms, and Peer-to-peer.
Good, Nathaniel S., Krekelberg, Aaron, Usability and privacy: a study of Kazaa P2P file-sharing
Web Security, Privacy & Commerce:
Hour 1: Passwords Why do we use passwords? Password policies. Graphical Passwords Recovering Passwords; EBAI.
Hour 2: Biometrics
National Bureau of Standards, Federal Information Processing Standards Publication 112 --- Password Usage, May 30, 1985.
Adams, Anne, and Sasse, Martina Angela, "Users are not the Enemy", Communications of the ACM, Volume 42, Issue 12, December 1999, pp. 40-46
Garfinkel, S. Email-Based Identification and Authentication: An Alternative to PKI?, IEEE Security and Privacy, November/December 2003.
Jermyn, I., Mayer, A., Monrose, F., Reiter, M. K., & Rubin, A. D. (1999, August). The Design and Analysis of Graphical Passwords. Paper presented at the Proceedings of the 8th USENIX Security Symposium.
Pankanti, Sharath, et. all, On the Individuality of Fingerprints.
Tsutomu Matsumoto, Hiroyuki Matsumoto, Koji Yamada, Satoshi Hoshino, Impact of Artificial "Gummy" Fingers on Fingerprint Systems
[Gummy Fingers Slides]
EFF, Biometrics: Who's Watching You
Liu, Simon, and Silverman, Mark, A Pradctical Guide to Biometric Security Technology
The Biometric Consortium
NIST: The Biometrics Resource Center Website
EPIC: "Biometric Identifiers"
United States General Accounting Office, Using Biometrics for Border Security, November 2002.
Jim Liddell, Karen Renaud and Antonella De Angeli. USING A COMBINATION OF SOUND AND IMAGES TO AUTHENTICATE WEB USERS. Short Paper. HCI 2003. 17th Annual Human Computer Interaction Conference. Designing for Society. Bath, England. 8-12 Sept, 2003."
Hour 2: Symmetric Encryption algorithms. Simple ciphers. One-time pads. DES. RC2, RC4, AES.
The Crypto FAQ, Questions 94, 95, 96, 97, 98, 99, 100, 101.
The rest of the RSA Crypto FAQ. Please be sure to read in particular:
Marcus J. Ranum's One Time Pad FAQ
NIST AES Home Page
OpenSSL: Documents, md5(3) (at http://www.openssl.org/docs/crypto/md5.html)
OpenSSL: Documents, sha(3) (at http://www.openssl.org/docs/crypto/sha.html)
Maheshwari, Umesh, Vingralek, Radek, and Shapiro, William, "How to Build a Trusted Database System on Untrusted Storage"
L0phtcrack - LC5
Crack Password - Password Recovery Software, by Elcomsoft
RFC 1321 (rfc1321) - The MD5 Message-Digest Algorithm (at http://www.faqs.org/rfcs/rfc1321.html)
RFC 3174 (rfc3174) - US Secure Hash Algorithm 1 (SHA1) (at http://www.faqs.org/rfcs/rfc3174.html)
FIPS180-2: The Secure Hash Standard
A file system using hash trees for integrity
Lamport's One-Time Passwords
Hash cash (Adam Back)
Slides on the relative speed of hardware implementations of AES finalists and DES, 3DES
FIPS 197: The Advanced Encryption Standard
NIST 800-67: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
RSA. Certificates and CAs. Smart cards. PEM, PGP and S/MIME Opportunistic Encryption in SSH and SSL. Adding opportunistic encryption to SMTP. Adding opportunistic encryption to email.
Gnu Privacy Guard (GnuPG) Mini Howto (English) (at http://webber.dewinter.com/gnupg_howto/english/GPGMiniHowto.html)
OpenSSH Project Goals (at http://www.openssh.com/goals.html)
OpenSSH Project History and Credits (at http://www.openssh.com/history.html)
Manual Pages: ssh(1) (at http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1)
OpenSSL: Support, Frequently Asked Questions (at http://www.openssl.org/support/faq.html)
Secure Messaging Assignment
This assignment will teach you about secure messaging and the "cognative walk-through" process of analyzing and critquing user interfaces.
This assignment will involve PGP, key signing, and secure messaging.
Whitten, Alma, J. D. Tygar, Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. USENIX Security Symposium 1999.
D. Wagner and B. Schneier, Analysis of the SSL 3.0 Protocol , The Second USENIX Workshop on Electronic Commerce Proceedings, USENIX Press, November 1996, pp. 29-40.
Marchesini, John, Smith, S., Zhao, Meiyuan, KeyJacking: The Surprising Insecurity of Client-side SSL, Technical Report TR2004-489, Department of Computer Science, Dartmouth College, February 13, 2004
RSA Crypto FAQ Section 3.1: RSA
RSA Crypto FAQ Section 3.5: Elliptic Curve Cryptosystems
PKCS #1 (skim)
Simple Public Key Infrastructure (spki) Charter
Ellison, Carl. "SPKI/SDSI Certificates See also Web Of Trust
RSA PKCS Standards
Public-Key Infrastructure (X.509)
What is X.509? - A Word Definition From the Webopedia Computer Dictionary (at http://www.webopedia.com/TERM/X/X_509.html)
What is digital certificate? - A Word Definition From the Webopedia Computer Dictionary (at http://www.webopedia.com/TERM/D/digital_certificate.html)
Hour 2: Watermarking
This assignment will give you a brief introduction to watermarking systems. We'll focus on the Digimarc watermark available for Windows. If you have a copy of Adobe Photoshop, you'll discover that you have support for watermarking built in. But don't worry, you don't need Photoshop to do this assignment.
1 - Spend some time going through the Digimarc website at http://www.digimarc.com/. Specifically look at IDMARC, the company's claims about homeland security, the company's technology for deterring the use of counterfeits, and MyPictureMarc.
In one paragraph, explain Digimarc's claim that watermarking can have a significant impact on document forging and the misappropriation of digital documents. Do you think that this claim is credible? Why or why not?
2 - Download and install Digimarc's ImageBridge reader and the ImageBridge watermarking plug-in.
You will need to reboot your computer.
Go to your computer's control panel for the Digimarc Watermarks and make sure that the program is configured so that Internet Explorer will display watermarked images on web pages. Now go to the Digimarc technology overview page and verify that the plug-in is working. You should see that two of the images of the bridge are watermarked.
Find another image on the DigiMarc website that is watermarked and report its information. Why do you think that they haven't watermarked all of their images?
3 - If you have a webcam or another video camera that can send real-time images to your computer, try the Digimark print-to-web demo. Briefly, you will download a PDF file, print it out, and then hold up the PDF file to your computer while running the DigiMarc MediaBridge reader. The MediaBridge reader should notice the watermarked image and take you to the appropriate web page. Does it? Do you think that this is a reasonable technology?
4 - Take a look at http://www.kenrockwell.com/tech/digimark.htm. In particular, the first image agedly has no DigiMarc, but the second image does. Try to verify the DigiMarc on the second image. What happens? Why?
Figure out some way to obtain a copy of the image of the mountains at http://www.tomtill.com/StockSampler/pages/101-040-0191.htm. Report the MD5 of this image and the image's Digimarc ID. Do you think that the "copy protection" that Tom Till has developed is effective? Why or why not?
6 - http://www.giselesgaze.com/ is a website of stock photography. The artist claims that all images are digitally watermarked and tracked with the DigiMarc Digital Watermarking system. Are they?
7 - Take one of the watermarked images that you have identified and edit it using PhotoShop, Paint, or some other image manipulation program. How many changes do you need to make to the image before the watermark no longer verifies?
8 - Finally, look at the BitTwiddler Demo on Peter Wayner's website. Can you see a difference between the image with data in one bit plane and the image with data in two? What does the option "Compare Most and Least Significant" mean? Can you explain the two artifacts in the resulting image?
Dartmouth TR2003-476: Experimenting with TCPA/TCG Hardware, Or: How I Learned to Stop Worrying and Love The Bear
Trusted Computing FAQ TC / TCG / LaGrande / NGSCB / Longhorn / Palladium (at http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html)
Freedom to Tinker (at http://www.freedomtotinker.com/)
Welcome to the Anti-DMCA Website (at http://www.anti-dmca.org/)
Hour 1: Worms and Spyware Trojan Horses and Trusted Path. History of computer viruses and worms. Melissa and ILOVEYOU. Relied on people to propagate them. Dartmouth research.
Hour 2: Social Engineering and Spoofing "Is it safe to enter my password into this window?". Micros0ft.com. Paypai.com.
Boutin, Paul. Slammed! An inside view of the worm that crashed the Internet in 15 minutes.
E. Ye, S.W. Smith., "Trusted Paths for Browsers."11th Usenix Security Symposium. August 2002
Staniford, Stuart, Paxson, Vern, and Weaver, Nicholas. How to 0wn the Internet in Your Spare Time. Proceedings of the 11th USENIX Security Symposium (Security '02)
eEye Digital Security: Analysis of the Code Red Worm
CERT Incident Note IN-2001-09: "Code Red II:" Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLL (at http://www.cert.org/incident_notes/IN-2001-09.html)
The "stacheldraht" distributed denial of service attack tool
Computer Records and the Federal Rules of Evidence
Audit Trails in Evidence - A Queensland Case Study
Dynamic Instrumentation of Production Systems Paper (PDF - 236K)
Federal Rules of Evidence
SWATCH: The Simple WATCHer of Logfiles (at http://swatch.sourceforge.net/)
LogAnalysis.Org (at http://www.loganalysis.org/)
Security Utilities - Logfiles (at http://www.ja.net/CERT/JANET-CERT/software/functions/logfiles.html)
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
The National Strategy to Secure Cyberspace
Stanford Website Credibility Project
Tor: The Second-Generation Onion Router
Freenet: A Distributed Anonymous Information Storage and Retrieval System (2000)
Anonymous Connections and Onion Routing (Syverson et al, 1997)
Detecting Web Bugs With Bugnosis: Privacy Advocacy Through Education (2002)
Untraceable electronic mail, return addresses, and digital pseudonyms David L. Chaum. February 1981. Communications of the ACM
Onion Routing (CACM 1999)
Hour 2: Honeypots
RFID: Tracking Everything Everywhere (at http://www.spychips.com/rfid_overview.html)
Stephen A. Weis, Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems
Stephen A. Weis, RFID Privacy Workshop
Garfinkel, Adopting Fair Information Practices to Low Cost RFID Systems
The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy
The HoneyNet Project:
Know Your Enemy,
Know Your Enemy II,
Know Your Enemy III,
Know Your Enemy: A Forensic Analysis
Slides from DIMACS
Giving Johnny the Keys, Alma Whitten
Whitten, Alma, and J. D. Tygar, Safe Staging for Computer Security, the CHI 2003 workshop paper introducing safe staging.
Whitten, Alma, and J. D. Tygar, Usability of Security: A Case Study, CMU-CS-98-155, the 26-page version of Why Johnny Can't Encrypt
Andrew Patrick's home page