Introduction

Slides

• Slides

Additional Resources

News and blogs

• The Age of Integrity by Bruce Schneier

Authentication

Slides

• 02-Authentication
• 03-Authentication
• 03-Phishing

Recommended Reading

• Security in Computing - Chapter 2.1 and 2.2
• Video 17 minutes: What’s wrong with your pa$$w0rd?

News

• Exclusive: how the Atlantic’s Jeffrey Goldberg got added to the White House Signal group chat
• Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years by Brian Krebs

Laws, regulations, and guidance

• NIST SP 800-63-4 Section 3.1.1.
• NIST proposes barring some of the most nonsensical password rules by Dan Goodin (arsTechnica)
• Password administration for system owners by the National Cyber Security Center of the United Kingdom - one of the first countries to officially advocate for user-friendly password rules

Research

• Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of IEEE SP 2012.
• Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, William Melicher. Design and Evaluation of a Data-Driven Password Meter In Proceedings of CHI 2017.
• Florian Mathis, John H. Williamson, Kami Vaniea, Mohamed Khamis (2020). RubikAuth: Fast and Secure Authentication in Virtual Reality. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.
• Ur, Blase, et al. “How does your password measure up? The effect of strength meters on password creation.” 21st USENIX security symposium (USENIX Security 12). 2012.

Random Fun Stuff

• * The password game - Simple game that keeps giving you new harder, more crazy, password rules as you progress.

Access Control

Slides

• 04-Access-Control
• 05-Information-Flow-Control

News

• Erroneous Death Termination
• ‘A Total Meltdown’: Black Friday Zipcar Outage Strands Customers in Random Places

Wikipedia and other education pages

• Bell–LaPadula Model
• Biba Integrity Model

Research

Cryptography

Cryptography is the study of encryption approaches and is one of the most basic tools used in security. In this module we will cover some of the basic principles of cryptography and some of the most common cryptography aprroaches.

Slides

• 06 Cryptography Introduction
  • Topics: Man in the Middle, substitution ciphers, one time pad, stream ciphers, block ciphers
  • 06-Handout
• 07 Cryptography
  • Topics: Playfair cipher, crypto errors, hash functions, hmac, sp-networks
  • 07-Handout – (Answers)
• 08 Cryptography

Recommended Reading

Security in Computing - Chapter 2.1 and 2.2

Learning Goals

Understand

Encryption is not magic, it does not protect all things from all attacks, it is built on assumptions and like all tools is designed to perform specific tasks. Different types of cryptography are designed to solve different problems, think about the problems, constraints, and assumptions that can be made before selecting a cryptographic approach.

Remember

Difference between symetric and asymetric cryptography Keys, what they are for, assumptions about them, and what they do Stream and block ciphers

Apply

Think about the different tools that you use on a daily basis that claim they use encryption to protect you. Try looking up what kind of encryption they use and reason about why that type was chosen.

Additional Resources

• Vigenère cipher
• One-time-pad
  • Online one-time-pad encoder/decoder
• A Stick Figure Guide to the Advanced Encryption Standard (AES)

Networking

Slides

• 09 Networking Introduction
  • Packets, IP addressing, OSI network model, ports, TCP
• 10 Networking
  • Autonomous Systems, BGP Routing, VPNs
• 11 Networking
  • Threat Models, Onion Routing, Denial of Service, Firewalls, NAT
• 12 Networking

Educational Games

• CS4G Network Simulator - an easy to understand and play simulator game that takes you through some of the most basic attacks in networking such as spoofing and a man in the middle attack
• Permission Impossible - a simple drag-and-drop game designed to teach firewall concepts and rules
• Blue Team - a more complicated firewall game that has you set firewall policies for multiple computers in a network, upper levels include some simple interaction with an intrusion detection system

Additional Resources

• Clark, David. “The design philosophy of the DARPA Internet protocols.” Symposium proceedings on Communications architectures and protocols. 1988.
• Mockapetris, Paul, and Kevin J. Dunlap. “Development of the domain name system.” Symposium proceedings on Communications architectures and protocols. 1988.

Secure Programming

Slides

• 13 Secure Programming
• 14 Secure Programming
• 15 Secure Programming
  • Extra Slides - Car key hacking slides, not covered in lecture so not examinable

News from Lecture

Below are some of the news stories cited in lecture or during the first 5 minutes.

• Marks & Spencer Attack Timeline
• Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development by NSA/CISA
  • A PATH TOWARD SECURE AND MEASURABLE SOFTWARE from President Biden’s National Cybersecurity Strategy (now removed from Whitehouse website)
• A “Kill Chain” Analysis of the 2013 Target Data Breach
• Untold Story of NotPetra by Wired

Try it out

Below are some capture the flag sources online. These are not required for the course, but you may find them interesting to try out.

• PicoCFT

Additional Resources

Industry reports and resources

• OWASP Top 10

Research Papers

• Kocher, Paul, et al. “Spectre attacks: Exploiting speculative execution.” Communications of the ACM 63.7 (2020)​
• Lipp, Moritz, et al. “Meltdown: Reading kernel memory from user space.” Communications of the ACM 63.6 (2020): 46-56.
• Georgiev, Martin, et al. “The most dangerous code in the world: validating SSL certificates in non-browser software.” Proceedings of the 2012 ACM conference on Computer and communications security. 2012.
• Mohammad Tahaei and Kami Vaniea. 2022. Recruiting Participants With Programming Skills: A Comparison of Four Crowdsourcing Platforms and a CS Student Mailing List. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems (CHI ‘22).

Web Security

Slides

• 16-WebSecurity
  • Topics: How websites are built
• 17-Cookies
  • Topics: Cookies, web tracking, cookie access control
• 17-WebSecurity-XSS
  • Topics: Cross Site Scripting (XSS)
  • Note that a few “New Slide” slides were added after lectuer to give examples of a few points that were confusing.
• 18-WebSecurity
  • Topics:

News

• Post Office Scandle Official Report

Additional Resources

Research Papers

• Daniel Kirkman, Kami Vaniea, Daniel W. Woods (2023). DarkDialogs: Automated detection of 10 dark patterns on cookie dialogs. In Proceedings of the 8th IEEE European Symposium on Security and Privacy (EuroSP'23).

Privacy

Slides

• 19-Privacy
• 20-Privacy

Additional Resources

• Protecting Privacy in Practice: The current use, development and limits of Privacy Enhancing Technologies in data analysis by the Royal Society, March 2019

Case Studies

Today we will be going into two attacks in depth.

Slides

• 2 Cases

Attacks

• Verizon Supercookie
• Lenovo PCs shipping with “Superfish” Adware
  • Legal documents

Revision

2024 Exam

• 2024 Exam - Hand annotation indicates questions where the content was either not covered in 2025 or covered in less depth.
• 2024 Exam Answers - Sample solutions. Multiple answers are possible for some of the questions, the solutions provided are only one possible answer.

Differences between 2024 and 2025

• STRIDE was a whole lecture in 2024, but only briefly mentioned in 2025
• NAT was well covered in 2024, mostly removed in 2025
• Onion Routing covered in more depth in 2025
• New 2025 content: Metldown/Spector, Rowhammer