2005 Class outline and references (COMP 5407F)

• Class 1: On-line password dictionary attacks. Pinkas and Sander, Securing Passwords Against Dictionary Attacks, ACM CCS-9: Computer and Communications Security, Nov.2002; also visit the CAPTCHA Project site. Begin Project 1 immediately (optional background: Spafford, "Crisis and Aftermath (The Internet Worm)", Comm. of the ACM, vol.32 no.6 (1989), pp.678-687; PDF available online).
  
  
• Class 2: Off-line password dictionary attacks. Gong, Lomas, Needham, Saltzer, Protecting Poorly Chosen Secrets from Guessing Attacks, IEEE J. Selected Areas in Comm., vol.11 no.5 (June 1993). Review reading - passwords: HAC ss10.2.1-10.2.2; time variant parameters: HAC ss10.3.1.
  
  
• Class 3: Countering brute-force password attacks. Halderman, Waters, Felten, A Convenient Method for Securely Managing Passwords, World Wide Web Conference (WWW), May 2005..
  
  
• Class 4: Anti-phishing - browser plug-in. Chou, Ledesma, Teraguchi, Mitchell, Client-Side Defense Against Web-Based Identity Theft, NDSS'04 (11th Symposium on Network and Distributed System Security)
  
  
• Class 5: Anti-phishing - password management inside browsers. Ross, Jackson, Miyake, Boneh, Mitchell, Stronger Password Authentication Using Browser Extensions, USENIX Security 2005.
  
  
• Class 6: Buffer overflow exploits and defenses. Wilander and Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, NDSS'03.
  
  
• Class 7: Buffer overflow exploits and defenses (cont'd). Bhatkar et al., Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits (pdf also available online), USENIX Security 2003. Additonal notes from instructor.
  
  
• Classes 8: Computer Viruses. Nachenberg, Computer Virus-Antivirus Coevolution (Comm. ACM, Jan. 1997); pdf available online.
  
  
• Class 9: Computer Viruses and Trojan Horses. McIlroy, Virology 101 (Computing Systems, Spring 1989); and Thompson, Reflections on Trusting Trust (Comm. ACM, Aug.1984).
  
  
• Classes 10: The 1988 Internet Worm. Spafford, "Crisis and Aftermath (The Internet Worm)", Comm. of the ACM, vol.32 no.6 (1989), pp.678-687; PDF available online.
  
  
• Classes 11-12: More Recent Computer Worms. Class 11: Staniford et al., How to 0wn the Internet in Your Spare Time (2002 Usenix Security). Class 12: other recents worms (Sapphire/Slammer, Blaster, Witty). Moore et al., The Spread of the Sapphire/Slammer Worm (Feb.2003); N. Weaver, Reflections on Witty (;login, vol.29 no.3, June 2004).
  
  
• Class 13: Digital Signatures. A Comparison of Digital and Handwritten Signatures (D. Fillingham, 1997 MIT course paper).
  
  
• Class 14: Test (in class).
  
  
• Class 15-16: Digital Signatures (continued). Public key infrastructure for digital signatures: RSA signatures (background) - HAC pp.433-434; public-key certificates - HAC pp.559-560; certificate and key life cycle - HAC pp.576-581. Blakley and Blakley, All Sail, No Anchor II: Acceptable High-End PKI, Int. J. Information Security (2004) 2(2):66-77.
  
  
• Class 17: reducing email with spoofed from addresses. IETF internet drafts (2005) on SPF and DomainKeys/DKIM; P. van Oorschot, Message Authentication by Integrity with Public Corroboration, NSPW 2005.
  
  
• Class 18: techniques to address spam. Class notes.
  
  
• Class 19-23: student presentations.
  Nov.16: Preeti Raman (insider attacks), Abdulrahman Hijazi (phishing: HCI and computer security)
  Nov.21: Thomas Choi (botnets and a counter-proposal), Fauzia Alam (detecting zero-day worms)
  Nov.23: Lindy Bryanton (RFID security and privacy), Sonia Chiasson (usability study re: browser-entered passwords)
  Nov.28: Wei Cui (graphical passwords: survey and proposal), Chen Li (IM security)
  Nov.30: Jianming Cui (botnets)
  
  
• Class 24. Redundancy and Diversity in Security (Littlewood, Strigini, ESORICS 2004).