Part 2: Write a 950-word essay describing a security incident in which you were personally involved. Be sure to include relevant details including what happened, the outcome, lessons learned, and how the organization recovered. Ideally the incident should involve computer security, but if you cannot think of one, then just pick any security incident --- for example, a theft at school or a case of cheating. Print on paper and bring to class
What is a security policy? Who writes it? What does it include? What does it not include? Perimeter definition and Risk assessment. Attack classification. Examination of some sample policies. Discussion of security incidents. Formulation of a security policy for the class website. Military vs. Commercial objectives. Role of Audit and verification. Codes of Ethics.
Read the privacy policies for Amazon.com, a website belonging to a federal agency, a website belonging to a university, and one other organization. Write an unbiased 3-page memo comparing the features of each. Do not present your opinion.
Bring three copies of this assignment to class on Tuesday, May 11th. Two copies will be shared with your classmates; one will be turned in for a grade.
Chapter 5 (pp. 33-44), "Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook," Computer Security Resource Center (CSRC), National Institute of Standards and Technology, 1996. Download from http://csrc.nist.gov/publications/nistpubs/800-12/
ACM Code of Ethics
ISCS - Faculty & Staff
Electronic Communications Privacy Act of 1986
Children's Online Privacy Protection Act of 1998 (COPPA)
HIPAA Privacy Rule and It's Impacts on Research
Bradley W. Goldstein
Pixelcentric Interface Hall of Shame
Whitten, Alma, J. D. Tygar, Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. USENIX Security Symposium 1999.
Locks and master keys. Tempest. Soft tempest. Optical Tempest.
M. Blaze. "Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks." March 2003. IEEE Security and Privacy. March/April 2003. [GZIPed PostScript], [PDF].
Robinson, Sara, Master-Keyed Mechanical Locks Fall to Cryptographic Attack, SIAM News, Volume 36, Number 2, 2003.
Kuhn, Markus G., Anderson, Ross, "Soft Tempest: Hidden Data Transmissions Using Electromagnetic Emanations, David Aucsmith (Ed.): Information Hiding 1998, LNCS 1525, pp. 124-142, 1998.
Kuhn, Markus, G., Optical Time-Domain Eavesdropping Risks of CRT Displays, Proceedings 2002 IEEE Symposium on Security and Privacy, 12-15 May 2002, Berkeley, CA., pp. 3-18. [FAQ]
Loughry, Joe., Umphress, D., "Information Leakage from Optical Emanations, ACM Transactions on Information System Security, Vol 5, No 3., August 2002.
Garfinkel., S., Shelat, A., Remembrance of Data Passed: A Study of Disk Sanitization Practices, IEEE Security and Privacy, January 2003.
In two pages catalog the number of passwords that you use and the restrictions for each one. Be sure to include an introduction, a table, a examples. End with a set of recommendations for developers of password-based authentication systems.
"Engineering and Design - Electromagnetic Pulse (EMP) and Tempest Protection for Facilities", EP 1110-3-2, 31 December 1990.
Politrix Tempest Archive
The Complete, Unofficial TEMPEST Information Page,
Brian Carrier: Digital Forensics
The Sleuth Kit & Autopsy: Forensics Tools for Linux and other Unixes
Granger, Sarah. "Social Engineering Fundamentals, Part I: Hacker Tactics", SecurityFocus.com, December 18, 2001
Granger, Sarah. "Social Engineering Fundamentals, Part II: Combat Strategies", SecurityFocus.com, January 9, 2002
CERT Advisory CA-1991-04 Social Engineering
Marx, Gary T., Sherizen, Sanford, Monitoring On The Job: How to Protect Privacy as Well as Property, Technology Review, November-December 1986.
Marx, Gary T., Measuring Everything That Moves: The New Surveillance at Work(In I. and R. Simpson (ed.) The Workplace and Deviance, JAI series on Research in the Sociology of Work, 1999.)
Office of Personnel Management Q&A about OPM Background Invesgiations, May 2002.
Background Investigations, Comptroller of the Currency, Washington DC, June 2002.
Jonathan J. Rusch, href="http://www.isoc.org/isoc/conferences/inet/99/proceedings/3g/3g_2.htm">The note: URL currently unreachable
"Social Engineering" of Internet Fraud, The Internet Society,INET'99, San Jose, California, June 22-25, 1999. note: URL currently unreachable
SANS InfoSec Reading Room, href="http://www.sans.org/rr/catindex.php?cat_id=51">Social note: URL currently unreachable
Engineering, Featuring 8 papers as of May 18, 2004.
Inspector General, Central Intelligence Agency, href="http://www.fas.org/irp/cia/product/ig_deutch.html">, REPORT OF note: URL currently unreachable
INVESTIGATION: IMPROPER HANDLING OF CLASSIFIED INFORMATION BY JOHN note: URL currently unreachable
M. DEUTCH (1998-0028-IG)
Slides: [PDF] [Keynote]
Referenced papers in class:
Maheshwari, Umesh, Vingralek, Radek, and Shapiro, William, "How to Build a Trusted Database System on Untrusted Storage"
Bradley W. Goldstein
The Crypto FAQ, Questions 94, 95, 96, 97, 98, 99, 100, 101.
FIPS180-2: The Secure Hash Standard
A file system using hash trees for integrity
Lamport's One-Time Passwords
Hash cash (Adam Back)
Marcus J. Ranum's One Time Pad FAQ
NIST AES Home Page
FIPS 197: The Advanced Encryption Standard
NIST 800-67: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
Graphical Authentication and Visual Passwords.
Jim Liddell, Karen Renaud and Antonella De Angeli. USING A COMBINATION OF SOUND AND IMAGES TO AUTHENTICATE WEB USERS. Short Paper. HCI 2003. 17th Annual Human Computer Interaction Conference. Designing for Society. Bath, England. 8-12 Sept, 2003."
National Bureau of Standards, Federal Information Processing Standards Publication 112 --- Password Usage, May 30, 1985.
Adams, Anne, and Sasse, Martina Angela, "Users are not the Enemy", Communiations of the ACM, Volume 42, Issue 12, December 1999, pp. 40-46
Garfinkel, S. Email-Based Identification and Authentication: An Alternative to PKI?, IEEE Security and Privacy, November/December 2003.
2. Find such a file. Was your estimate correct? Why or why not?
3. How long would it take your computer to find a file with an MD5 that starts with the string deadbeefdeadbeef?
4. Find a 3-letter word with this MD5: acbd18db4cc2f85cedef654fccc4a4d8
5. Find a word with this MD5: 437b930db84b8079c2dd804a71936b5f
6. Find the multi-digit ASCII number with this MD5: 283f42764da6dba2522412916b031080
7. Crack this Unix password: NEf5XissHxu5o
8. In class it was incorrectly stated that AES is a Feistel cipher. It is not. In one page that includes a diagram, explain how AES works. Do you think that the design of AES is more secure than a Feistel network? Why or why not?
9. In class we briefly discussed two ways of implementing a cryptographic file system. The first approach encrypts each file as the file is written to the disk and decrypts each file as it is read back. A disadvantage of this approach is that is cannot be implemented in hardware.
Design the cryptographic aspects of a hardware-based disk encryption system for encrypting data stored on removable USB drives. Your device should fit between any standard USB drive and any kind of ocmputer. Data written to the USB drive should be automatically encrypted, while data read back should be decrypted. Use a block cipher as your encryption function. Be sure to answer these questions:
Crack Password - Password Recovery Software, by Elcomsoft
RSA Crypto FAQ Section 3.5: Elliptic Curve Cryptosystems
PKCS #1 (skim)
Simple Public Key Infrastructure (spki) Charter
Ellison, Carl. "SPKI/SDSI Certificates See also Web Of Trust
Public-Key Infrastructure (X.509)
What is X.509? - A Word Definition From the Webopedia Computer Dictionary
What is digital certificate? - A Word Definition From the Webopedia Computer Dictionary
Pankanti, Sharath, et. all, On the Individuality of Fingerprints.
Tsutomu Matsumoto, Hiroyuki Matsumoto, Koji Yamada, Satoshi Hoshino, Impact of Artificial "Gummy" Fingers on Fingerprint Systems
[Gummy Fingers Slides]
EFF, Biometrics: Who's Watching You
Marchesini, John, Smith, S., Zhao, Meiyuan, KeyJacking: The Surprising Insecurity of Client-side SSL, Technical Report TR2004-489, Department of Computer Science, Dartmouth College, February 13, 2004
Liu, Simon, and Silverman, Mark, A Pradctical Guide to Biometric Security Technology
For this assignment, you must identify a partner for you final project and write a 2-page proposal explaining what you intend to do. Your final project in this class will consist of the following:
Your project can either be technical or policy. That is, you can develop and test a piece of technology, or you can write an indepth analysis of a policy issue discussed in this class. The best projects will combine an aspect of both technology development and policy analysis.
Here are some topics that would be worthy of a final project:
For more ideas, you might check out Final Project Ideas from 6.857, the MIT course I helped teach in Fall 2003.
The Biometric Consortium
NIST: The Biometrics Resource Center Website
EPIC: "Biometric Identifiers"
United States General Accounting Office, Using Biometrics for Border Security, November 2002.
Boutin, Paul. Slammed! An inside view of the worm that crashed the Internet in 15 minutes.
E. Ye, S.W. Smith., "Trusted Paths for Browsers."11th Usenix Security Symposium. August 2002
Staniford, Stuart, Paxson, Vern, and Weaver, Nicholas. How to 0wn the Internet in Your Spare Time. Proceedings of the 11th USENIX Security Symposium (Security '02)
eEye Digital Security: Analysis of the Code Red Worm
The "stacheldraht" distributed denial of service attack tool
D. Wagner and B. Schneier, Analysis of the SSL 3.0 Protocol , The Second USENIX Workshop on Electronic Commerce Proceedings, USENIX Press, November 1996, pp. 29-40.
Can desktop software be designed in such a way as to promote interaction that is inherently more secure than is commonly seen today? We will focus on two proposals: Ka-Ping Yee's "User Interaction Design for Secure Systems" and Alma Whitten's "Safe Staging." Please read the first two papers and skim the full Whitten and Tygar report and come prepared to discuss.
Ka-Ping Yee, User Interaction Design for Secure Systems.
Whitten, Alma, and J. D. Tygar, Safe Staging for Computer Security, the CHI 2003 workshop paper introducing safe staging.
Whitten, Alma, and J. D. Tygar, Usability of Security: A Case Study, CMU-CS-98-155, the 26-page version of Why Johnny Can't Encrypt
Stephen A. Weis, Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems
Stephen A. Weis, RFID Privacy Workshop
Garfinkel, Adopting Fair Information Practices to Low Cost RFID Systems
The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy
This is the optional PGP assignment. If you submit assignment #8, then your grade on your lowest assignment will be dropped when your average is computing.
Download a copy of PGP (freeware is fine) from http://www.pgpi.org.
Part 1: 6:00 - 6:20
Best Practices for Security And Usability. (Preview of Simson's DIMACS talk.)
Part 2: 6:20 - 7:50pm: LOGGING
What gets logged? Who are logs for? Logging in Unix and Windows. Logfile management. Data management. Visualization of logfiles Log file policies - who gets to see them. Anonymizing PII
7:50pm - 8:00pm: BREAK
Part 3: 8:00pm - 9:00pm: INFORMATION WARFARE AND CYBERTERRORISM
Since it's now kind of late, we'll discuss the truth and hype about "information warfare." (Simson has a nice set of PowerPoint slides on this that were done for a terrorism course.)
Information Warfare (From Technology Review)
Computer Records and the Federal Rules of Evidence
Audit Trails in Evidence - A Queensland Case Study
Dynamic Instrumentation of Production Systems Paper (PDF - 236K)
Federal Rules of Evidence
SWATCH: The Simple WATCHer of Logfiles
Security Utilities - Logfiles
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
The National Strategy to Secure Cyberspace
Additional reading: note: URL currently unreachable
Stanford Website Credibility Project
Simson will be at the DIMACS Workshop on Usable Privacy and Security Software.
Work on your final projects!
No class as the DIMACS conference continues.
After a brief discussion of the DIMACS Workshop on Usable Privacy and Security Software, we will discuss incident handling.
Please do all of the reading!
Download and read two of the short papers from the DIMACS Workshop. Bring in 2 copies of each paper and be prepared to discuss them.
The HoneyNet Project:
Know Your Enemy,
Know Your Enemy II,
Know Your Enemy III,
Know Your Enemy: A Forensic Analysis
Slides from DIMACS
Giving Johnny the Keys, Alma Whitten
Freedom to Tinker
Welcome to the Anti-DMCA Website
Trusted Computing Group: Home
Tor: The Second-Generation Onion Router
Freenet: A Distributed Anonymous Information Storage and Retrieval System (2000)
Anonymous Connections and Onion Routing (Syverson et al, 1997)
Detecting Web Bugs With Bugnosis: Privacy Advocacy Through Education (2002) note: URL currently unreachable
Untraceable electronic mail, return addresses, and digital pseudonyms note: URL currently unreachable
David L. Chaum. February 1981. Communications of the ACM note: URL currently unreachable
Onion Routing (CACM 1999)
Collusion secure fingerprinting for digital data, D. Boneh, and J. Shaw, IEEE Transactions on Information Theory, Vol 44, No. 5, pp. 1897--1905, 1998.
Steganography Revealed, Kristy Westphal
Time Machine Computing (please read website and the first two papers.)
Fuzz Testing If you have the time, please take a look at the 1990 Fuzz Report and the 1995 Fuzz Revisited Report.