Readings

Authentication and Passwords

The reading covers Anderson, either 2nd edition or 3rd edition:

• 3rd edition: Anderson Ch. 3, pp. 90-97 (section 3.4–3.4.4.2)-, pp. 105-110 (section 3.4.9–3.4.12)
• 2nd edition: Anderson Ch. 2, pp. 31-39, 56-58

If you read the 3rd edition, please also read this excerpt from the 2nd edition:

“Regardless of how well passwords are managed, there can be absolute limits imposed by the design of the platform. For example, Unix systems used to limit the length of the password to eight characters (you could often enter more than this, but the ninth and subsequent characters were ignored). The effort required to try all possible passwords — the total exhaust time, in cryptanalytic jargon — is 96^8 or about 2^52, and the average effort for a search is half of this” (p. 58).

Cryptography - Asymmetric Encryption

Supplemental:

• Public key cryptography - Diffie-Hellman Key Exchange – Khan Academy
• RSA Factoring Challenge
• 2019, Crown Sterling claims to break asymmetric cryptography (lol)
  • Blackhat conference presentation
    • part 1
    • part 2
  • Promo video
  • live demonstration of cracking a ridiculously small 256-bit RSA key
  • The Doghouse: Crown Sterling – Schneier on Security

Cryptography – Digital Certificates and PKI

Online: Moxie Marlinspike: SSL And The Future Of Authenticity

Cryptography – Hashes & Symmetric

• Anderson, Ch. 5, pp. 129-149 (2nd ed.); pp. 138–156 (3rd ed.)
• “Secrets & Lies”, Chapters 6 & 7 (library link available)

Supplemental:

• Creating the ECB Penguin
• Demystifying Web Authentication (Stateless Session Cookies) | Information Security Stack Exchange
• Does “Shattered” actually show SHA-1-signed certificates are “unsafe”? | Cryptography Stack Exchange
  • Includes timeline of laggard response to moving away from MD5

Human Element

• Schneier, “The Security Mirage”
• Anderson, Chapter 2, pp. 17-30, 40-42
• “Cosmo, the Hacker ‘God’ Who Fell to Earth,” by Mat Honan

Information Privacy

Tim Cook’s EU Privacy Speech

Introduction to Computer Networking

“Secrets & Lies”, Chapters 11 & 12 (library link available)

Malware Analysis

Introduction and Chapter 0 of “Practical Malware Analysis” by Sikorski and Honig. (library link available)

Network Security Monitoring

Bejtlich, “The Practice of Network Security Monitoring”, Chapter 1 (library link available)

Password Cracking

• Goodin, “Why passwords have never been weaker”
• Gosney, “How LinkedIn’s password sloppiness hurts us all”

Physical Security

Anderson, Chapter 11

Threat Modeling

• “Threat Modeling,” by Adam Shostack (library link available).
  • Introduction
  • Chapter 1
  • Chapter 4
• Also read “Secrets & Lies”, Chapters 19 and 21 (especially chapter 21 for attack tree metrics) (library link available)

Supplemental:

• G. Conti and J. Caroland, “Embracing the Kobayashi Maru: Why You Should Teach Your Students to Cheat,” in IEEE Security & Privacy, vol. 9, no. 4, pp. 48-51, July-Aug. 2011, doi: 10.1109/MSP.2011.80. (pdf)

Web Application Security -- XSS

Stuttard and Pinto, “The Web Application Hacker’s Handbook” (library link available), Chapter 12, sections ‘Varieties of XSS’ and ‘XSS Attacks in Action’

Web application security -- SQLi

• Clarke, SQL Injection, Chapter 1 (library link available)
• Jeremiah Grossman, Saving Systems from SQLi