University home »
Faculty of Science »
Department of Computer Science »
Courses » COMPSCI 725 S2 C » Lectures »
Computer Science
Lectures
Announcements
- Physical protection of digital resources, NZISF breakfast meeting, 13 October 2016. Presenter A/Prof Lech Janczewski: "There are many mechanisms used to protect data, including firewalls, intrusion detection systems, and monitoring software. Most technology-based controls can be circumvented if an attacker gains physical access to the devices being controlled. In other words, if it is easy to steal the hard drives from a computer system, then the information on those hard drives is not secure. Therefore, physical security is just as important as logical security to an information security program..."
- Security in the news:
- Hacking 3D manufacturing systems demonstrated by researchers, HelpNet Security, 21 October 2016: "... ‘Dr0wned’ is not the first article that raises this issue. However, all prior research has focused on a single aspect of a possible attack, assuming that all other attack elements are feasible,' the researchers say. 'This is the first experimental proof of a complete attack chain initiated by sabotaging the 3D-printed propeller." Video.
- Risks of taking electronic media overseas and not reporting the carrying of protectively marked information: an INFOSEC, PERSEC and PHYSEC case study, NZ Government, 2016: "This case study looks at the possible implications of taking sensitive or official information overseas via electronic devices and failing to report the intent to travel." Publicised in the NZ Herald, 15 Oct 2016, Foreign spies hack NZ phones, laptops: "... Digital security specialist Adam Boileau said the hotel-room incident as described wasn't surprising - he had colleagues working in Australia who said such government security breaches happened 'pretty often' - but such subterfuge was only rarely made public... Boileau said, aside from the loss of sensitive information, there were also increasing indications that hacking attacks could have serious financial and physical effects. He cited a little-reported attack on Saudi Arabian company Aramco - responsible for a tenth of the worlds' oil production - that saw 35,000 desktop computers junked, and a sustained Christmas 2015 cyberattack on Ukraine's power grid left 230,000 people in the dark."
- Retailers warned about Christmas cyber threat, Sunday Star-Times, 9 October 2016: "Macmillan, ... chief executive of Auckland-based Kaon Security, said criminals were using a range of methods, but 'RAM scraper' malware was becoming increasingly popular, with at least 10 variants currently in use. 'Until recently RAM scraper breaches had been largely confined to North America, but cybercriminals are now increasingly turning their attention to Australian companies,'... RAM scraper, which is also known as memory scraper malware, harvest card data and PIN numbers. It works by exploiting a security vulnerability in the fractions of a second time period between when a customer's card is swiped, and when that information is encrypted by the store's POS system. The scrapers are hard to detect because the malware is usually installed remotely on a retailer's network by way of hacking or through infected email attachments and hyperlinks...".
- Spark continuing to seek information on US spying after Yahoo scanned emails, Tom Pullar-Strecker & Reuters, 5 October 2016: "Spark is doing the right thing checking with Yahoo whether Xtra customers may have had their emails snooped on by United States security agencies, privacy commissioner John Edwards says... It was revealed overnight in the US that Yahoo complied with a secret US government directive to scan the accounts of hundreds of millions of its email customers to search for terms provided by the US National Security Agency or the FBI... Edwards said that... companies should be moving to two-factor authentication to secure accounts. 'Relying on security questions and username and password is just not good any more I think.'".
- Largest DDoS attack ever delivered by botnet of hijacked IoT devices, Network World, 23 Sept 2016. "Securing the internet of things should become a major priority now that an army of compromised devices – perhaps 1 million strong - has swamped one of the industry’s top distributed denial-of-service protection services. A giant botnet made up of hijacked internet-connected things like cameras, lightbulbs, and thermostats has launched the largest DDoS attack ever against a top security blogger, an attack so big Akamai had to cancel his account because defending it ate up too many resources. It wasn’t that Akamai couldn’t mitigate the attack – it did so for three days – but doing so became too costly, so the company made a business decision to cut the affected customer loose..."
- Xtra users at risk from massive Yahoo attack, NZ Herald, 24 September 2016: "Spark warns clients after 500m accounts at US email provider breached... The hacked account information may have included names, email addresses, telephone numbers, dates of birth, and hashed passwords and, in some cases, encrypted or unencrypted security questions and answers..." If you want to learn more about how an attacker can make an excellent guess at your weak password, if they know its hash, I'd encourage you to type one of your weak passwords (and who doesn't have some of these? ;-) into the password-guesser system Telepathwords, then read Komanduri et al., "Telepathwords: preventing weak passwords by reading your mind", USENIX Security 2014. This was a required reading in COMPSCI 725 last year.
- Why Quantum Computing Has the Cybersecurity World White-Knuckled, Infoworld, 8 September 2016. "As quantum computers inch closer to reality, experts are sweating over their potential to render many of today's cybersecurity technologies useless. Earlier this year the U.S. National Institute of Standards and Technology issued a call for help ..."
- The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, CitizenLab, 24 August 2016. CVE-2016-4655, NVD, 26 August 2016. iOS 9.3.5, Apple, 25 August 2016.
- Commentary: Evidence points to another Snowden at the NSA, James Bamford, Reuters, 24 August 2016: "... While the 'auction' seemed tongue in cheek, more like hacktivists than Russian high command, the sample documents were almost certainly real. The draft of a top-secret NSA manual for implanting offensive malware, released by Edward Snowden, contains code for a program codenamed SECONDDATE. That same 16-character string of numbers and characters is in the code released by the Shadow Brokers..." Another analyst has asserted, in their blog, that Bamford's article is "littered with half truths, omissions and faulty analysis".
- Computer repair company's 5-star reviews too good to be true, NZ Herald, 20 August 2016. "An Auckland computer repairs store has raked in five-star reviews - but they weren't written by customers. Six people have confirmed their email accounts were used to write fake reviews... Catherine Xu handed her laptop and password over to CER Computers' Mt Albert branch two weeks ago to have her cracked screen repaired. After picking up the fixed laptop, Xu said she received an automated email thanking her for her latest Google Plus review..." (Example of a security design pattern: confirmation using a second channel.)
- Terrorist
Attack in NZ 'not if but when', NZ Herald, 6 August 2016. "A
leaked executive memo from the New Zealand Defence Force warns a
terror attack on home soil is 'not a matter of if, but when' and
its staff are the prime targets. One of the top tips to keep
safe? Don't play Pokemon Go. ..." Tech-aware terrorists and
anti-terrorists have realised that Pokémon is part of the
civilian 'attack surface' for at least a year, see
e.g. Pokemon
plot foiled by police. The world-wide popularity of
Pokémon Go has greatly raised the stakes, for both
attackers and defenders. Here are links to a few recent articles
from Forbes on security and privacy issues in Pokémon Go:
- http://www.forbes.com/sites/ryanmac/2016/07/31/hacker-explains-why-he-took-over-pokemon-go-creators-social-media-accounts/
- http://www.forbes.com/sites/thomasbrewster/2016/07/11/pokemon-go-google-privacy-disaster/
- http://www.forbes.com/sites/davidthier/2016/07/11/robbers-used-pokemon-go-to-lure-victims/
- How vulnerable to hacking is the US election cyber infrastructure?, theconversation.com, 2016-07-30 "Following the hack of Democratic National Committee emails and reports of a new cyberattack against the Democratic Congressional Campaign Committee, worries abound that foreign nations may be clandestinely involved in the 2016 American presidential campaign... what are some of the technical vulnerabilities faced by nations during political elections, and what’s really at stake when foreign powers meddle in domestic political processes?"
- Hackers Hijack a Big Rig Truck's Accelerator and Brakes, Wired, 2016-08-02: "When cybersecurity researchers showed in recent years that they could hack a Chevy Impala or a Jeep Cherokee to disable the vehicles’ brakes or hijack their steering, the results were a disturbing wakeup call to the consumer automotive industry. But industrial automakers are still due for a reminder that they, too, are selling vulnerable computer networks on wheels—ones with direct control of 33,000 pounds of high velocity metal and glass. At the Usenix Workshop on Offensive Technologies conference next week, a group of University of Michigan researchers plan to present the findings of a disturbing set of tests on those industrial vehicles...".
- Machine Vision’s Achilles’ Heel Revealed by Google Brain Researchers, MIT Technology Review, 2016-07-22. "By some measures machine vision is better than human vision. But now researchers have found a class of “adversarial images” that easily fool it...Ref: arxiv.org/abs/1607.02533 : Adversarial Examples in the Physical World".
- Researchers, Automakers See No Quick Path to Secure Car Networks, eWeek, 2016-07-31: "The automobile industry has published its first set of in-car security best practices, but the slow development times mean the industry still has a long way to go...".
- Securing our Future Security, p. 5 of Uni News 45(5), The University of Auckland, July 2016. "... We expect building doors to always unlock and lock at the right times and access cards to work seamlessly. Those of us who have complex components of the security system in our buildings want to know that Security will arrive if we activate our silent panic alarms, and that intruder alarms will detect unlawful movements. Recently, one of the University's legacy access servers, called Forcefield, malfunctioned..."
- Handling absence or illness:
- If you must leave for family emergencies etc, PLEASE talk to the lecturer, or somehow get a message to the department. Very few problems are so urgent that we cannot be told quite quickly.
- For problems affecting assignments or tests, see the lecturer (or send email, or call on the telephone). This must be done as soon as reasonably possible, if we are to make alternative arrangements that will prevent you from getting a poor mark on this test or assignment.
- For illness during exams (or other problems that affect exam performance) students MUST contact the Examinations Office as soon as possible, and in any event within a week. The time limits and other rules of the University's Aegrotat Policy are strictly enforced.
- Many students have missed out on a whole semester of study because they just went away. Many students have failed an examination because they did not report problems until they received the failing grade. In general, if there is a problem that will affect your study you should speak to someone as soon as possible.
- Students should sit the examination if at all possible, even if they do nothing much more than hand in a script with their name.
- Students should read the exam instructions and regulations, and they should double-check the examination timetable to make sure they don't miss any of their exams. Other relevant information is available in the academic information webarea for current students.
Schedule (tentative)
- Week 1 (18 July - 22 July): Introduction; Basics of Security.
- Reading assignment (to be completed by the second day of lectures): B. W. Lampson, "Computer Security in the Real World", C. ACM 37(6) 37-46, 2004.
- Select class representative. Representatives are expected to attend our department's staff-student meetings on Mon 15 August and Mon 3 October, 1-2pm, in Room 303S-561). Notice. Information sessions. Sign-up sheet. Class rep handbook.
- Course Information Sheet, v1.0 of 2016-07-19.
- Article List for Oral Presentations. Version 1.02 of 2016-07-25, corrected abbreviation for [Wang 2016].
- Lecture Slides, set #1: Introduction to COMPSCI 725, available in PPTX and PDF. Version 1.01 of 2016-07-19.
- Week 2 (25 July - 29 July): Introduction to Cryptography. Oral
& written reports.
- Oral Report Schedule, version of 2016-10-19.
- Lecture Slides, set #2: Introduction to Cryptography and Steganography. PDF version. Updated 1 August 2016.
- Lecture Slides, set #3: Oral and Written Reports. PDF version. Updated 27 July 2016.
- Week 3 (1 August - 5 August): Cryptographic Standards and
Protocols. Oral & written reports (cont.)
- Students who are scheduled to present in Week 5 should make a reservation for a tutorial session in Week 4, to practice their oral presentation.
- Reading assignment
from Mark
Stamp, Information Security: Principles and Practice, Wiley, 2011:
- Symmetric encryption: p. 20
- Kerckhoff's principle: p. 21
- Public-key encryption: pp. 89-91
- Message integrity (HMAC): pp. 136-7
- Authentication protocols: p. 320-4
- Lecture Slides, set #4: Cryptographic Standards and Protocols, version 1.2 of 2016-07-27. PDF version.
- Week 4 (8 August - 12 August): "Soft" security: social, legal,
economic, and architectural controls. Oral and written reports (cont.)
- All students should produce a synopsis and a preliminary list of references for their written report before the end of week 6. This submission is worth 1 mark (out of 25 possible marks) for your written report.
- Students who are scheduled to present in Week 6 should make a reservation for a tutorial session in Week 5, to practice their oral presentation.
- Lecture Slides, set #5: "Soft" Security. PDF version.
- Week 5 (15 August - 19 August): Soft security (cont.). A process for
writing reports. Student oral presentations begin.
- Lecture Slides, set #6: A Process for Writing Reports, 22 August 2016. PDF version.
- Week 6 (22 August - 26 August): Student oral presentations continue.
- Students who are scheduled to present in Week 8 should make a reservation for a tutorial session in Week 7, to practice their oral presentation.
- Note: there are no tutorial sessions this week.
- Mid-semester break (27 August - 11 September)
- Week 7 (12 September - 16 September). Soft security (cont.),
completing your written report.
- Students who are scheduled to present in Week 9 should make a reservation for a tutorial session in Week 8, to practice their oral presentation.
- Lecture Slides, set #7, Completing your Written Report. PDF version.
- Week 8 (19 September - 23 September). Student oral
presentations resume.
- Students who are scheduled to present in Week 10 should make a reservation for a tutorial session in Week 9, to practice their oral presentation.
- Week 9 (26 September - 30 September). Mo, We: Student oral
presentations. Tu: lecture cancelled for graduation day.
- Students who are scheduled to present in Week 11 should make a reservation for a tutorial session in Week 10, to practice their oral presentation.
- Week 10 (3 October - 7 October). Student oral presentations.
- Week 11 (10 October - 14 October). Student oral
presentations. Practice final exam.
- Tuesday: Practice final exam (ungraded, anonymous), 25 minutes. I'll mark a sample of your answers, and we'll discuss my marks on the last day of lectures.
- Due 5pm Friday: written report, in .pdf or .docx or .odt format (5 MB limit), submit via Canvas.
- Week 12 (17 October - 21 October). Student oral
presentations. Revision. Marking
rubric for sample exam.
- Wednesday (last lecture): Discussion of sample answers to the practice final exam of week 11. Course revision.
-
Related Programmes