Network Security and PrivacyCourse PersonnelPrerequisitesCourse LogisticsLate Submission PolicyCourse MaterialsOther Helpful BooksMain Themes of the CourseWhat This Course is Not AboutMotivationExcerpt From “General Terms of Use”“Privacy, Security and Legal”What Do You Think?Desirable Security PropertiesSyllabus (1): Security MechanismsSyllabus (2): Attacks and DefensesPeek at the Dark SideA Security Engineer’s MindsetKen Thompson“Reflections on Trusting Trust”Slide 21Slide 22Slide 23Network StackNetwork DefensesCorrectness versus SecurityWhat Drives the Attackers?Marketplace for VulnerabilitiesIt’s a BusinessMarketplace for Stolen DataMarketplace for VictimsBad NewsBetter NewsReading AssignmentVitaly ShmatikovCS 361SNetwork Security and Privacyhttp://www.cs.utexas.edu/~shmat/courses/cs361s/slide 2Course PersonnelInstructor: Vitaly Shmatikov•Office: GDC 6.812•Office hours: Tuesday, 1-2pm•Open door policy – don’t hesitate to stop by!TA: Oliver Jensen•Office: GDC 6.818A•Office hours: Wednesday, 11am-12nWatch the course website•Assignments, reading materials, lecture notesslide 3PrerequisitesRequired: working knowledge of C and JavaScript•The first project is about Web security•The second involves writing buffer overflow attacks in C–You must have detailed understanding of x86 architecture, stack layout, calling conventions, etc.Recommended: Introduction to Computer Security; Cryptography; Computer Networks; Compilers and/or Operating Systems•Not much overlap with this course, but will help gain deeper understanding of security mechanisms and where they fit in the big pictureslide 4Course LogisticsLectures•Tuesday, Thursday 11a-12:30pThree homeworks (30% of the grade)Two projects (10 + 15% of the grade)•A fair bit of C coding and PHP/JavaScript hacking•Can be done in teams of 2 students•Security is a contact sport!Midterm (20% of the grade)Final (25% of the grade)UTCS Code of Conduct will be strictly enforcedNo make-up or substitute exams!If you are not sure you will be able to take the exams in class on the assigned dates, do not take this course!slide 5Late Submission PolicyEach take-home assignment is due in class at 11am on the due date•5 take-home assignments (3 homeworks, 2 projects)You have 3 late days to use any way you want•You can submit one assignment 3 days late, 3 assignments 1 day late, etc.•After you use up your days, you get 0 points for each late assignment•Partial days are rounded up to the next full dayslide 6Course MaterialsTextbook: Kaufman, Perlman, Speciner. “Network Security”•Lectures will not follow the textbook•Lectures will focus on “big-picture” principles and ideas of network attack and defense•Attend lectures! Lectures will cover some material that is not in the textbook – and you will be tested on it!Occasional assigned readings•Start reading “Smashing the Stack For Fun and Profit” by Aleph One (from Phrack hacker magazine)•Understanding it will be essential for your projectslide 7Other Helpful BooksRoss Anderson’s “Security Engineering”•Focuses on design principles for secure systems•Wide range of entertaining examples: banking, nuclear command and control, burglar alarms“The Shellcoder’s Handbook”•Practical how-to manual for hacking attacks•Not a required text, but you may find it useful for the buffer overflow projectKevin Mitnick’s “The Art of Intrusion”•Real-world hacking stories•Good illustration for many concepts in this courseslide 8Main Themes of the CourseVulnerabilities of networked software•Worms and botnets, denial of service, attacks on Web applications, attacks on infrastructure Defensive technologies•Protection of information in transit: cryptography, application- and transport-layer security protocols •Protection of networked software: memory integrity, firewalls, antivirus tools, intrusion detectionStudy a few deployed protocols in detail: from design principles to implementation details•Kerberos, SSL/TLS, IPsec (if time permits)slide 9What This Course is Not AboutNot a comprehensive course on computer securityNot a course on ethical, legal, or economic issues•No file sharing, DMCA, piracy, free speech issues•No surveillanceOnly a cursory overview of cryptography•Take CS 346 for deeper understandingOnly some issues in systems security•Very little about OS security, secure hardware, physical security, security of embedded devices…slide 10Motivationhttps://slide 11Excerpt From “General Terms of Use”YOU ACKNOWLEDGE THAT NEITHER WELLS FARGO, ITS AFFILIATES NOR ANY OF THEIR RESPECTIVE EMPLOYEES, AGENTS, THIRD PARTY CONTENT PROVIDERS OR LICENSORS WARRANT THAT THE SERVICES OR THE SITE WILL BE UNINTERRUPTED OR ERROR FREE; NOR DO THEY MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES OR THE SITE, OR AS TO THE TIMELINESS, SEQUENCE, ACCURACY, RELIABILITY, COMPLETENESS OR CONTENT OF ANY INFORMATION, SERVICE, OR MERCHANDISE PROVIDED THROUGH THE SERVICES AND THE SITE.slide 12“Privacy, Security and Legal”“As a Wells Fargo customer, your privacy and security always come first.”• Privacy policies• Privacy policy for individuals• Online privacy policy• Social Security Number protection policy• International privacy policies• Your online security• How we protect you• Online security guarantee• Fraud information center• How fraudsters operate• How to protect yourself• USA PATRIOT ACT informationslide 13What Do You Think?What do you think should be included in “privacy and security” for an e-commerce website??slide 14Desirable Security PropertiesAuthenticityConfidentialityIntegrityAvailabilityAccountability and non-repudiationAccess controlPrivacy of collected information…slide 15Syllabus (1): Security MechanismsBasics of cryptography•Symmetric and public-key encryption, certificates, cryptographic hash functions, pseudo-random generatorsAuthentication and key establishment•Case study: KerberosWeb security•Case study: SSL/TLSIP security (if time permits)•Case study: IPsec protocol suiteslide 16Syllabus (2): Attacks and DefensesWeb attacks•Cross-site scripting and request forgery, SQL injectionNetwork attacks•Worms, viruses, botnets•Spam, phishing, denial of service•Attacks on routing and DNS infrastructureBuffer overflow