Introduction

Slides

• 01-Introduction Slides
  • Topics: definition of security, swiss cheese mode
• 02-Threat Models
  • Topics: threat model introduction

Remember

From 01-Introduction:

• CIA
  • Confidentiality - computer-related assets are accessed only by authorized parties.
  • Integrity - assets can be modified only by authorized parties and only in authorized ways.
  • Availability - assets are accessable to authorized parties at appropriate times.
• CIAAA adds two more:
  • Accountability - actions are traceable to entities responsible.
  • Authentication - user or data origin accurately identifiable.
• Swiss cheese model
• Data breaches are usually caused by multiple security failures.

From: 02-Threat Models

• Role of threat models in security
• Who is the adversary?
• What needs to be protected and what risks can be accepted?

Additional Resources

Videos

How Chinese Criminals Steal Your Credit Card With Just One Text

News and blogs

• The Age of Integrity by Bruce Schneier
• The computer errors from outer space - cosmic radiation can flip bits. Threats to correct opperation of software can come from anyware. Cosmic radiation even triggered a precautionary fleet action for Airbus A320’s.

Authentication

Authentication is about determining that an entity, such as a person, has a desired property, such as knowing a password. The goal of authentication is ensuring that the system knows who or what is interacting with it and can therefore make later decisions, such as access control decisions, with confidence.

Slides

• 02-Authentication
• 03-Authentication

Remember

02-Authentication

• Something you …
• Multi-factor authentication
• Authenticating identity vs a property
• Continuous authentication
• Password entropy

03-Authentication

• Hashing and salting passwords
• Online vs offline guessing of passwords
• How online and offline attacks differ

Additional Resources

Recommended Reading

• Security in Computing - Chapter 2.1 and 2.2
• Video 17 minutes: What’s wrong with your pa$$w0rd?

News

• Exclusive: how the Atlantic’s Jeffrey Goldberg got added to the White House Signal group chat
• Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years by Brian Krebs

Laws, regulations, and guidance

• NIST SP 800-63-4 Section 3.1.1.
• NIST proposes barring some of the most nonsensical password rules by Dan Goodin (arsTechnica)
• Password administration for system owners by the National Cyber Security Center of the United Kingdom - one of the first countries to officially advocate for user-friendly password rules

Research

• Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of IEEE SP 2012.
• Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, William Melicher. Design and Evaluation of a Data-Driven Password Meter In Proceedings of CHI 2017.
• Florian Mathis, John H. Williamson, Kami Vaniea, Mohamed Khamis (2020). RubikAuth: Fast and Secure Authentication in Virtual Reality. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.
• Ur, Blase, et al. “How does your password measure up? The effect of strength meters on password creation.” 21st USENIX security symposium (USENIX Security 12). 2012.

Random Fun Stuff

• * The password game - Simple game that keeps giving you new harder, more crazy, password rules as you progress.

Access Control

Access control is how the system manages access to various resources. Classically access control is defined in terms of who wants to perform what action on what resource and if that tripple of (who, action, resource) should be allowed.

Slides

• 04-Access-Control
  • Access Control
  • Principle of least privilege
  • Reference monitor
  • Access control implementations
    • Access Control Directory
    • Access Control Matrix
    • Access Control Tripples
    • Access Control Lists
• 05-Information-Flow-Control
  • Access Control Capabilities
  • Multi-level security models
    • Bell-LaPadula
    • Biba
  • Cookies

News

• Erroneous Death Termination
• ‘A Total Meltdown’: Black Friday Zipcar Outage Strands Customers in Random Places

Wikipedia and other education pages

• Bell–LaPadula Model
• Biba Integrity Model

Research

Cryptography

Cryptography is the study of encryption approaches and is one of the most basic tools used in security. In this module we will cover some of the basic principles of cryptography and some of the most common cryptography aprroaches.

Slides

• 06 Cryptography Introduction
  • Topics: Man in the Middle, substitution ciphers, one time pad, stream ciphers, block ciphers
  • 06-Handout

2025 Slides

• 07 Cryptography
  • Topics: Playfair cipher, crypto errors, hash functions, hmac, sp-networks
  • 07-Handout – (Answers)
• 08 Cryptography

Recommended Reading

Security in Computing - Chapter 2.1 and 2.2

Learning Goals

Understand

Encryption is not magic, it does not protect all things from all attacks, it is built on assumptions and like all tools is designed to perform specific tasks. Different types of cryptography are designed to solve different problems, think about the problems, constraints, and assumptions that can be made before selecting a cryptographic approach.

Remember

Difference between symetric and asymetric cryptography Keys, what they are for, assumptions about them, and what they do Stream and block ciphers

Apply

Think about the different tools that you use on a daily basis that claim they use encryption to protect you. Try looking up what kind of encryption they use and reason about why that type was chosen.

Additional Resources

• Vigenère cipher
• One-time-pad
  • Online one-time-pad encoder/decoder
• A Stick Figure Guide to the Advanced Encryption Standard (AES)

Networking

Networking is how we reliably move data between computers over unstable and sometimes untrusted connections managed by strangers.

Slides

2025 Slides

• 09 Networking Introduction
  • Packets, IP addressing, OSI network model, ports, TCP
• 10 Networking
  • Autonomous Systems, BGP Routing, VPNs
• 11 Networking
  • Threat Models, Onion Routing, Denial of Service, Firewalls, NAT
• 12 Networking

Educational Networking Games

• CS4G Network Simulator - an easy to understand and play simulator game that takes you through some of the most basic attacks in networking such as spoofing and a man in the middle attack
• Permission Impossible - a simple drag-and-drop game designed to teach firewall concepts and rules
• Blue Team - a more complicated firewall game that has you set firewall policies for multiple computers in a network, upper levels include some simple interaction with an intrusion detection system

News

• A single point of failure triggered the Amazon outage affecting millions Amazon Web Service (AWS) went down for 15 hours due to a race condition and DNS.

Additional Resources

• Clark, David. “The design philosophy of the DARPA Internet protocols.” Symposium proceedings on Communications architectures and protocols. 1988.
• Mockapetris, Paul, and Kevin J. Dunlap. “Development of the domain name system.” Symposium proceedings on Communications architectures and protocols. 1988.

Secure Programming

Secure programming is a broad topic but roughly covers the security of operating systems and applications.

Slides

2025 Slides

• 13 Secure Programming
• 14 Secure Programming
• 15 Secure Programming
  • Extra Slides - Car key hacking slides, not covered in lecture so not examinable

News from Lecture

Below are some of the news stories cited in lecture or during the first 5 minutes.

• Marks & Spencer Attack Timeline
• Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development by NSA/CISA
  • A PATH TOWARD SECURE AND MEASURABLE SOFTWARE from President Biden’s National Cybersecurity Strategy (now removed from Whitehouse website)
• A “Kill Chain” Analysis of the 2013 Target Data Breach
• Untold Story of NotPetra by Wired

Try it out

Below are some capture the flag sources online. These are not required for the course, but you may find them interesting to try out.

• PicoCFT

Additional Resources

Industry reports and resources

• OWASP Top 10

Research Papers

• Kocher, Paul, et al. “Spectre attacks: Exploiting speculative execution.” Communications of the ACM 63.7 (2020)​
• Lipp, Moritz, et al. “Meltdown: Reading kernel memory from user space.” Communications of the ACM 63.6 (2020): 46-56.
• Georgiev, Martin, et al. “The most dangerous code in the world: validating SSL certificates in non-browser software.” Proceedings of the 2012 ACM conference on Computer and communications security. 2012.
• Mohammad Tahaei and Kami Vaniea. 2022. Recruiting Participants With Programming Skills: A Comparison of Four Crowdsourcing Platforms and a CS Student Mailing List. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems (CHI ‘22).

Web Security

Web security covers the security of web servers, browsers, users, and organizations that all interact over the Internet. This module starts with a quick course in how the Internet and websites function then moves on to more classic website attacks like Cross Site Scripting.

Slides

2025 Slides

• 16-WebSecurity
  • Topics: How websites are built
• 17-Cookies
  • Topics: Cookies, web tracking, cookie access control
• 17-WebSecurity-XSS
  • Topics: Cross Site Scripting (XSS)
  • Note that a few “New Slide” slides were added after lectuer to give examples of a few points that were confusing.
• 18-WebSecurity
  • Topics:

News

• Post Office Scandle Official Report

Additional Resources

Research Papers

• Daniel Kirkman, Kami Vaniea, Daniel W. Woods (2023). DarkDialogs: Automated detection of 10 dark patterns on cookie dialogs. In Proceedings of the 8th IEEE European Symposium on Security and Privacy (EuroSP'23).

Privacy

There are many deffinitions of privacy, in this class we will learn about: contextual privacy, boundary management, user control over data flows, and some privacy laws.

Slides

2025 Slides

• 19-Privacy
• 20-Privacy

Topics

• Definition of privacy
• Data privacy tactics
• Data privacy approaches in the US and Canada
• Privacy harms examples

Learing Goals

1. Explain multiple definitions of privacy, including privacy as confidentiality, control over information flows, anonymity, pseudonymity, and contextual integrity.
2. Differentiate privacy from security, particularly why confidentiality, encryption, and access control alone do not guarantee privacy.
3. Describe how trust operates in online systems, including trust transfer, collective trust signals, and the role of privacy policies as cross‑site trust mechanisms.
4. Explain why privacy policies emerged as a technical‑legal response to trust problems in early e‑commerce.
5. Explain the role of enforcement bodies (e.g., FTC, OPC) and how inaccurate or misleading privacy policies can result in sanctions.
6. Contrast GDPR with U.S. privacy models, especially differences in responsibility allocation between users, organizations, and governments.
7. Explain why encryption ≠ privacy, using adversary models to explain the difference.

Additional Resources

• Protecting Privacy in Practice: The current use, development and limits of Privacy Enhancing Technologies in data analysis by the Royal Society, March 2019
• The State of Web Privacy: How Wrongful Collection is Redefining Digital Risk by Coalition. - Takes a insurance-focused view to privacy breaches and observes that incorrect collection of data is being successfully litigated in the United States.