CSC290A - Network Security
Hofstra University - Spring 2006
Instructor: Vinnie Costa
E-Mail:vcosta@optonline.net (preferred)
vincent_costa@hofstra.edu
Class Meets: Mondays, 8:15-10:05PM, Adams, Rm: 200
Office hours: Mondays, 7:15-8:15PM, Adams 211

May 20, 2006

All Final Grades Have Been Submitted
Have A Great Summer!!!


News

'Mashup' Websites Are a Hacker's Dream Come True
New Scientist (05/13/06) Vol. 190, No. 2551, P. 28; Marks, Paul
The proliferation of mashup sites could present a major security threat, warned some participants at last month's Computer-Human Interaction conference in Montreal, Canada. Mashups, or Web applications that combine information from two or more sites, are often hastily thrown together with no guarantees of accuracy, and privacy and security concerns are sometimes just an afterthought. Mashups have become very popular for the local information they provide--neighborhood crime data overlaid on a Google map, for instance--but there is nothing to stop people from using them to collect addresses or other sensitive identifying information. Mashups have appeared that help commuters monitor traffic and travelers map their journeys, and new mashup sites are appearing at the rate of 10 a week. Google, Microsoft, and Yahoo! have all made the application programming interface (API) of their mapping sites freely available, recognizing that mashup sites help broaden the footprint of their service. But mashup creators do not take the precautions to address concerns such as data integrity, system security, and privacy, according to Hart Rossman of Science Applications International. "How do you know the data is real?" Rossman asks. The owners of the sites from which mashup creators pull their data neither know nor care that their information is being used, and the absence of encrypted ID certificates in the exchange between the mashup creator and the source invites the possibility that the data could be coming from a spoofed site, Rossman warns. Mashup sites also do not have rules governing how people's personal information can be used, and viruses could be specifically written to attack mashup sites. A mashup worm could follow the data back to its origin and corrupt its contents, says Rossman. The mounting security concerns come as some mashups, particularly in the travel sector, are growing into huge, multi-million-dollar ventures that play an increasingly important role in people's daily lives.
Click Here to View Full Article

<ARCHIVED NEWS>

Syllabus

Syllabus
This is the latest syllabus for the course. It is subject to revision.
This is available in OpenOffice format (hold shift key to download) or PDF format.

Slides

Session 1
Introduction - types of attacks, security services, a model for network secuirty, Internet standards, RFCs.
This is available in OpenOffice, PowerPoint, and PDF format (hold shift key to download).
Session 2
Conventional Encryption - Ciphers, information theory, entropy, DES, cipher block chaining, location of encryption devices, key distribution, DNS and IP addressing.
This is available in OpenOffice , Power Point, and PDF format (hold shift key to download).
Session 3
Public Key Cryptography - Message authentication, one way hash functions, public key priciples and algorithms, digital sigantures, key management.
This is available in OpenOffice , Power Point, and PDF format (hold shift key to download).
Session 4
Authentication Applications - Kerberos and X.509 directory authentication service.
This is available in OpenOffice , Power Point, and PDF format (hold shift key to download).
Session 5
Electronic Mail Security - Pretty Good Privacy (PGP).
This is available in OpenOffice , Power Point, and PDF format (hold shift key to download).
Session 6 (two parts)
IP Security - IPSec, Tunneling, Transport, Security Associations, AH and ESP.
This is available in OpenOffice , Power Point, and PDF format (hold shift key to download).
Session 7
Firewalls - Packet filtering, application and circuit gateways, NAT, Split DNS, SSH, Trusted Systems, "An Evening With Berferd."
This is available in OpenOffice , Power Point, and PDF format (hold shift key to download).
Session 8
Firewalls - Trusted Systems
Web Security - Web fundamentals, attacks, security, SSL, TLS, digital watermarks, and SET.
This is available in OpenOffice , Power Point, and PDF format (hold shift key to download).
Session 9
Intruders - Intruders, intrusion detection, password protection.
This is available in OpenOffice , Power Point, and PDF format (hold shift key to download).
Session 10
Viruses - Malicious programs, viruses, worms, trojan horses, digital immune system.
This is available in OpenOffice , Power Point, and PDF format (hold shift key to download).

Midterm

Here is the MidTerm Exam. This is available in Word and PDF format (hold shift key to download).

This is due next class April 10.

Final

Here is the Final Exam. This is available in Word and PDF format (hold shift key to download).

This is due next class May 15.


Text

William Stallings, Network Security Essentials: Applications and Standards, 2/e, Prentice-Hall, 2003, 432pp., ISBN 0-13-035128-8

Documents

Eavesdropping Leaps Into 21st Century, by Matthew Fordahl, NY Times, 1/22/2006
Privacy for People Who Don't Show Their Navels, by Jonathan D. Glater, NY Times, 1/25/2006
Why We Listen, by Philip Bobbitt, NY Times, 1/30/2006
"An Evening With Beferd" - classic paper by Bill Cheswick
passwd - the password file that needs to be cracked as part of the final exam

Links

NPR, PGP, Thunderbird, Enigmail - This is the article by Claire Wolfe featured on NPR on 2/22/06. It has a step-by-step procedure to use PGP for email.
IPSec Simplified - Quick and simple explanation of IPSec with samples of IPSec SA combinations and major RFCs. (This link was contributed by Evan Spielberg)

Last Modified 5/20/2006