CSE 508: Network Security, Spring 2024
Home
Schedule
Past Years
Schedule
Recommended reading material is listed under each lecture.
Jan 23
Introduction and Basic Concepts
slides
Reflections on Trusting Trust
Why Offensive Security Needs Engineering Textbooks
Jan 25
Ethics
slides
Legal Issues Surrounding Monitoring During Network Research
About Penetration Testing
Markets for Zero-Day Exploits: Ethics and Implications
Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws
Project Zero: Policy and Disclosure: 2021 Edition
The Shapeshifting Crypto Wars
Jan 30
Threat Landscape and Basic Security Principles
slides
The Protection of Information in Computer Systems
ENISA Threat Landscape 2023
Buying Spying: Insights into Commercial Surveillance Vendors
Feb 1
Lower Layers (Part 1)
slides
Packets Found on an Internet
tcpdump
|
Wireshark
|
Scapy
Beej's Guide to Network Concepts
Feb 6
Lower Layers (Part 2)
slides
A look back at “Security problems in the TCP/IP protocol suite”
IP-spoofing Demystified
Blind TCP/IP hijacking is still alive
Windows 7 TCP/IP Hijacking
Beej's Guide to Network Programming
TCP Puzzlers
Feb 8
Hands-on Session
Feb 13
Core Protocols: BGP
Cancelled due to winter storm
Feb 15
Core Protocols: BGP
slides
A Survey of BGP Security Issues and Solutions
Why Is It Taking So Long to Secure Internet Routing?
A Brief History of the Internet’s Biggest BGP Incidents
RPKI - The required cryptographic upgrade to BGP routing
Feb 20
Core Protocols: DNS
slides
Using the Domain Name System for System Break-ins
Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority
Hold-On: Protecting Against On-Path DNS Poisoning
The Hitchhiker’s Guide to DNS Cache Poisoning
An Illustrated Guide to the Kaminsky DNS Vulnerability
DNS security threats and mitigations
DNS Security: Threat Modeling DNSSEC, DoT, and DoH
DNSSEC Deconstructed
Adopting Encrypted DNS in Enterprise Environments
A simple DNS lookup tool
Feb 22
Denial of Service
slides
Inferring Internet Denial-of-Service Activity
A Taxonomy of DDoS Attack and DDoS Defense Mechanisms
Amplification Hell: Revisiting Network Protocols for DDoS Abuse
China’s Great Cannon
Feb 27
Symmetric Key Cryptography
slides
Handbook of Applied Cryptography
The Joy of Cryptography
A Graduate Course in Applied Cryptography
Crypto 101
How (not) to use symmetric encryption
An Empirical Study of Cryptographic Misuse in Android Applications
Feb 29
Public Key Cryptography
slides
Applied Crypto Hardening
WhatsApp Encryption Overview
ECDSA: The digital signature algorithm of a better internet
The Matasano Crypto Challenges
Mar 5
Hands-on Session
Mar 7
Midterm
Mar 12
No Class: Spring Recess
Mar 14
No Class: Spring Recess
Mar 19
Authentication (Part 1)
slides
A Framework for Comparative Evaluation of Web Authentication Schemes
Dos and Don’ts of Client Authentication on the Web
Designing an Authentication System: a Dialogue in Four Scenes
Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials
zxcvbn
Mar 21
Authentication (Part 2)
slides
Mar 26
TLS
slides
Transport Layer Security (TLS)
Analyzing Forged SSL Certificates in the Wild
Analysis of the HTTPS Certificate Ecosystem
Killed by Proxy: Analyzing Client-end TLS Interception Software
Eliminating Obsolete Transport Layer Security (TLS) ProtocolConfigurations
Certificate Transparency
SSL/TLS and PKI History
Mar 28
Hands-on Session
Apr 2
Firewalls and Tunnels
slides
Walls and Gates
Everything VPN is New Again
Wireguard
Algo VPN
Embracing a Zero Trust Security Model
Zero Trust Architecture
BeyondProd: A new approach to cloud-native security
Apr 4
Reconnaissance
slides
nmap
The Art of Port Scanning
ZMap: Fast Internet-Wide Scanning and its Security Applications
A Brief History of Scanning
An Internet-Wide View of Internet-Wide Scanning
Apr 9
Malware
slides
The Art of Computer Virus Research and Defense
How to 0wn the Internet in Your Spare Time
Manufacturing Compromise: The Emergence of Exploit-as-a-Service
Evasive Malware Exposed and Deconstructed
The Inside Story Behind MS08-067
Apr 11
Intrusion Detection
slides
Bro: A System for Detecting Network Intruders in Real-Time
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics
The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection
Outside the Closed World:On Using Machine Learning For Network Intrusion Detection
Apr 16
Email
slides
Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0
End-To-End
Off-the-Record Communication, or, Why Not To Use PGP
Forward Secrecy for Asynchronous Messages
Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security
The PGP Problem
Enhanced Email and Web Security
Apr 18
Social Engineering
slides
Social Phishing
Interface Illusions
Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
The Social Engineering Framework
Advanced social engineering attacks
People Hacking: The Psychology of Social Engineering
Phishing Guidance: Stopping the Attack Cycle at Phase One
Apr 23
No Class
Apr 25
Web Security (slides on Piazza - courtesy of Nick Nikiforakis)
App Isolation: Get the Security of Multiple Browsers with Just One
Robust Defenses for Cross-Site Request Forgery
One-Way Web Hacking
CGI Security Holes
NT Web Technology Vulnerabilities
Perl CGI problems
Apr 30
Privacy
slides
Detecting and Defending Against Third-Party Tracking on the Web
Adnostic: Privacy Preserving Targeted Advertising
Privacy-Preserving Social Plugins
Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting
Personal Safety User Guide for Apple devices
May 2
Anonymity
slides
Tor: The Second-Generation Onion Router
Detecting Traffic Snooping in Tor Using Decoys
A Survey of Worldwide Censorship Techniques
Everything Old is New Part 2: Why Online Anonymity Matters