Project 1: Security Incident Tracking (COMP 5407W - January 2019) - last updated Jan.8 2019, 3pm
Due (on paper hard-copy): Tuesday Feb.14 in class (at the start of class). No extensions. Read these instructions carefully.

Option A: similar to option B below, but instead of 4 incidents over the specified 4 weeks, choose 3 incidents from the past year. However in this case the incidents must all be related to "Internet of Things" security, the maximum is 5 pages per incident, and an extra 2-page section must be inserted (after your introduction, before the 3 incidents) defining and explaining what the "Internet of Things" is (this then defines a scope for your incidents).

Option B: Prepare a selective report, summarizing your 4-week watch (Wednesday Jan.9, 12:01am through Tuesday Feb.5, 11:59pm) of software security incidents reported in the real world. Here software security incidents include any software-related issues affecting user security or perception thereof. Begin by determining which web sites, mailing lists, or other resources to use as your primary information sources (see below). For each of the 4 weeks, select one high-profile security incident which, during that week, occurred, was first publicly announced, received major publicity, or appeared on a relevant security incident list. Clearly identify the incident; explain why you chose it (aim for high profile, more serious, or distinctive incidents as justified by your report); and explain the problem with clear but concise technical details including what was exploited, the mechanism by which the attack succeeded, and where possible how the problem can be fixed or worked around. (The technical explanation should be at a detailed level suitable for computer science students, rather than general-public over-simplifications that commonly appear in general media reports.)

Format and length: Maximum total length 20 pages (at most 4 pages per incident), including a preliminary general section (maximum 2 pages) comparing information sources and recommending which are most helpful, and a final concluding remarks section (maximum 2 pages) summarizing any trends, concerns, your own reflections, etc. The report must be in a single-column conference research paper format (with abstract, introduction, etc.; if you need an example of such format, look at the research papers scheduled to be covered over the term). Start each incident in a new numbered section in your typeset report. Each section should cite the specific sources used (as done in research papers), with a single bibliography of cited references appearing at the end of the entire report. Use citations throughout your paper, with each referenced source including: author, title, date, and (venue, publication name, or web domain); a grade above B is unlikely if this is not done.

Information sources: Continuously updated lists of security incidents and vulnerabilities are widely available, and change over time. Some sites used by students in past years include: government-funded cites such as CVE (cve.mitre.org), NVD (nvd.nist.gov) and US-CERT (www.us-cert.gov/cas/techalerts); sites from the many security advisory companies (e.g., secunia.com/advisories), browser manufacturers (e.g., www.mozilla.org/security), anti-virus vendors such as Trend Micro, McAfee, Symantec (e.g., www.securityfocus.com/vulnerabilities), major software vendors such as Microsoft (technet.microsoft.com/en-ca/security), the Internet Storm Center (isc.sans.edu), SANS newsletters (www.sans.org/newsletters/newsbites), and high-volume mailing lists (e.g., seclists.org; see seclists.org/bugtraq/ and seclists.org/fulldisclosure/). These may or may not turn out to be the best sites for your goals - some provide a long-term catalogue of known vulnerabilities, some provide high-level information for non-technical managers, and others provide technical details of new vulnerabilities as they emerge. An important part of the project, and one that you should start with, is to explore these (and other) sites, to become familiar with their diversity and to determine which will best suit your needs. These are examples only; you may find different or newer sources are superior.

Use your own explanations: Your source information will be available online. Don't plagiarize; look up what this word means. After locating and gaining an understanding of the appropriate information, explain things in your own words in sufficient detail to demonstrate understanding. Clarify technical jargon, operating system details, etc., sufficiently to allow understanding by a computer science undergrad. Make explanations as self-contained as possible within the stated limits; include additional background as necessary.

This is an individual project. Read the "Policy re: Unethical Behaviour" on the course web page. Ideas obtained from other students or sources must be cited as such.