MatSays : ramblings of a grumpy developer-designer-teacher
INF400: Web Security
As the Spring 2010 class leaves for Summer Break, one last jab:
via switched.com via AVG via Computer World
Not that you needed any further proof that no one is safe from a dedicated hacker, but here’s yet another tale of Internet swindlers infecting a highly trusted site.
Roger Thompson, a researcher at AVG, discovered on Monday that three sites belonging to the U.S. Treasury Department had been hacked, and were infecting visitors with malware. According to Thompson, the attackers embedded a simple piece of nearly undetectable HTML that quietly redirected users to a website in the Ukraine, via an iframe (a method of embedding one site inside another). That embedded page used a commercially available malware kit called Eleonore Exploit pack. The exploit pack attempts to find a way into a PC by using several different known methods of attack, including flaws in Adobe Reader.
As of late Monday night, the malicious code had not been successfully scrubbed from the Treasury site, but the IT staff was aware of the issue and working towards a remedy. In the meantime, it’s strongly urged that you avoid visiting the Treasury site — even if you still haven’t seen that epic video of the new $100 bill. Besides, you can find it on (the presumably safe) YouTube.
For 2 brownie points – is that a stored or a reflected XSS? Have a nice break!
| Administrative | |||
| Syllabus | Download PDF | ||
| Resources/Texts | at bottom of page | ||
| Week 1 | |||
| Take advantage of the enemy’s unreadiness, make your way by unexpected routes, and attack unguarded spots.
- Sun Tzu
|
|||
| Tue, Jan 12 | Thu, Jan 14 | ||
| Lecture Notes (1A) | Lecture Notes (1B) General Information Security Principles |
||
| Week 2 | |||
| I have not failed. I’ve just found 10,000 ways that won’t work.
- Thomas Edison
|
|||
| Hack of the Month: MSIE aids in Google China attack Hack of the Week: Russian billboard And more good news: Clickjacking Facebook Cut-throat Florists: Web Sabotage (and here) Read: Chapters 1 & 2 (pages 1-29) Read: HTTP headers for Dummies by Burak Guzel Do: Install at least one tool and surf with it |
|||
| Tue, Jan 12 | Thu, Jan 19 | ||
| Web Server Vulnerabilities Lecture Notes (2A – 4 slides/page) Lecture Notes (2A – 2 slides/page)Tools Mac Tools: WebScarab, Burp, Paros Windows WebScarab Fiddler 2 |
The HTTP Protocol In-Depth Lecture Notes (2B – 4 up) Lecture Notes (2B – 2 up) |
||
| Week 3 | |||
| The adage is true that the security systems have to win every time, the attacker only has to win once.
- Dustin Dykes
|
|||
| Assignment 1: Instructions [due 02/09/10] Read: Chapters 3 & 4 Read: Detailed Analysis of 32 Million Breached Consumer Passwords (and get the PDF) Read: Mobile Password Security Read: Survey: Data breaches from malicious attacks doubled last year Resource: In response the question about the kind of things I think you should know and gain experience with outside of what they tell you in school – read this – this is just my opinion |
|||
| Tue, Jan 26 | Thu, Jan 23 | ||
| A Web Hack; Server Logs for Detection Lecture Notes (3A – 4 up) Lecture Notes (3A – 2 up) |
Databases & SQL Injection Lecture Notes (3B – 4 up) Lecture Notes (3B – 2 up) |
||
| Week 4 | |||
| “Things are seldom what they seem, Skim milk masquerades as cream.” - W.S. Gilbert
HMS Pinafore (1878) |
|||
| Read: Chapter 5 Read: The Cross-Site Scripting (XSS) FAQ from cgisecurity.com DL + Read: Recommended Practice Case Study: Cross-Site Scripting (Dept. of Homeland Security)* DL + Read: Symantec White Paper on Internet Security Read: Testing Your Web Applications for Cross-Site Scripting Vulnerabilities from Microsoft * material may be on exam |
|||
| Tue, Feb 2 | Thu, Feb 4 | ||
| XSS: Cross Site Scripting Lecture Notes (4A – 4 up) Lecture Notes (4A – 2 up) |
Today we hack! In-lecture lab. If you have a laptop, please bring it and follow along. We are going to use a hacking mission site (no, not HTS) and try our hand (collectively) at learning how to perform simple hacks against vulnerable “sites”. Notes from session |
||
| Week 5 | |||
| Only two things are infinite: the universe and human stupidity, and I’m not sure about the former.
- Albert Einstein
|
|||
| Read: Chapter 6 | |||
| Tue, Feb 9 | Thu, Feb 11 | ||
| Due to the walkout today’s class is not mandatory and I will not present new informatin. Instead I will take open questions as review. | Per the question about tonight’s class – we will be having class but again, in lieu of a lecture I will be conducting a review of Javascript concepts, methods and so forth. This will be followed up in a couple of weeks with a review of PHP so that as we move forward with prevention measures, the code side is a bit more clear. Everyone welcome to attend, but as always not required. Form field addressing |
||
| Week 6 | |||
| For many years it was believed that countless monkeys working on countless typewriters would eventually reproduce the genius of Shakespeare. Now, thanks to the World Wide Web, we know this to be false.
- Robert Wilensky
|
|||
| Assignment 2: Instructions [due 03/04/10] Read: textbook Chapter 7 Read: Zeus Trojan found on 74,000 PCs in global botnet Read: Javascript operator precedence |
|||
| Tue, Feb 16 | Thu, Feb 18 | ||
| Character representation and encoding (Ch 4 review) Lecture Notes (6A – 4 up) Lecture Notes (6A – 2 up) Script package |
Quiz today and then more hacking … yea! Notes from session 1 (week 4) Notes from session 2 (week 6) |
||
| Week 7 | |||
| If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.
- Richard Clarke, White House Cybersecurity Advisor
|
|||
| MIDTERM EXAM WILL BE THURSDAY, MARCH 4 AT 7PM Read: textbook Chapter 8 |
|||
| Tue, Feb 23 | Thu, Feb 25 | ||
| Today we are going to watch a video on Web Security – it is the full length of class so please be on time. | Finish the video Lecture Notes (7B – 4 up) Lecture Notes (7B – 2 up) Script package |
||
| Week 8 | |||
| There is no security on this earth. Only opportunity.
- Gen. Douglas Macarthur
|
|||
| Read: textbook Chapter 9 (not on exam) | |||
| Tue, Mar 2 | Thu, Mar 4 | ||
| Read: The main thing is not to install Flash! – discussion point – why not Flash? Discussion Point: Given that we know that not filtering < and > markup from inbound $_REQUEST strings is one of the biggest problem areas – even if we do filter it, how do XSS attackers get around it? Review for Midterm |
MIDTERM EXAM AT 7PM 10 True-False 12 Multiple-Choice 3 Short Answer 1 Short Essay |
||
| Week 9 | |||
| Cybersecurity should become second nature, just like brushing our teeth.
- Ken Watson, National Cyber Security Alliance Chairman
|
|||
| Read: Interoperable DRM by Rob Koenen (IEEE), et al Read: My post on LVRJ’s article about INF Do: Go to LVRJ’s article page and post a comment (I have but who knows if it will be posted, but I left the body of it in my blog post) |
|||
| Tue, Mar 9 | Thu, Mar 11 | ||
| Digital Rights Management Lecture Notes (9A – 4 up) UPDATED Lecture Notes (9A – 2 up) Microsoft’s original patent |
|||
| Week 10 | |||
| People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.
- Bruce Schneier, Secrets and Lies
|
|||
| Tue, Mar 16 | Thu, Mar 18 | ||
Presentation of hacks – I will provide account
|
Sharon Morgan’s students attending IIBA No class! |
||
| Week 11 | |||
| Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.
- John Perry Barlow
|
|||
| Read: Facebook users hit by password-stealing attack: here’s how to stay safe! Please read my post about the proposed cutting of Informatics. Read: Server Security CheckAssignment 3: Write a letter and have me post it! Instructions Send your emails to neal.smatresk@unlv.edu, eric.sandgren@unlv.edu, chancellor@nevada.edu, regentjamesdean@aol.com, and the tenured faculty of Informatics |
|||
| Tue, Mar 23 | Thu, Mar 35 | ||
| Prevention: XSS Lecture Notes (11A – 4 up) Lecture Notes (11A – 2 up) |
WebGoat Videos http://yehg.net/lab/pr0js/training/webgoat.php |
||
| Week 12 | |||
| Spring Break! | |||
| Week 13 | |||
| Security is an architecture, not an appliance.
- Art Wittmann, InformationWeek
|
|||
| Read: Textbook, Chapters 10-11 Assignment 4: Instructions [due 04/15/10] |
|||
| Tue, Apr 6 | Thu, Apr 8 | ||
| The Problem of Ajax (why user experience, information exchange and security battle for supremacy) Lecture Notes (13A – 4 up) Lecture Notes (13A – 2 up) |
InfoSec Management: Principle and Policy Lecture Notes (13B – 4 up) Lecture Notes (13B – 2 up) |
||
| Week 14 | |||
| I think the biggest issue has been about infrastructure and security and making customers feel that sharing their information over the Web is the right thing to do.
- L. James Thomas, Personal Information Security Advocate
|
|||
| Due to some an influx of work, I will not be completing the site that I had intended to use for the final assignment. However, there will still be one – we’ll be using another source for it. It will be challenging but loosely graded. | |||
| Tue, Apr 13 | Thu, Apr 15 | ||
| Continued from last week (these are addendums to the set) Lecture Notes (14A – 4 up) Lecture Notes (14A – 2 up) |
SOAP vs. REST: Web Services Architecture Lecture Notes (14A – 4 up) Lecture Notes (14A – 2 up) Additional material will be referenced from XML and Web Services |
||
| Week 15 | |||
| We’re responsible for the creation of the PC industry. The whole idea of compatible machines and lots of software.. that’s something we brought to computing. And so it’s a responsibility for us to make sure that things like security don’t get in the way of that dream.
Security is, I would say, our top priority because for all the exciting things you will be able to do with computers.. organizing your lives, staying in touch with people, being creative.. if we don’t solve these security problems, then people will hold back. Businesses will be afraid to put their critical information on it because it will be exposed. - Bill Gates
|
|||
| Read: OWASP Top Ten Project Assignment 5 Instructions – this assignment is worth less than half the value of the previous assignments. |
|||
| Tue, Apr 20 | Thu, Apr 22 | ||
| I am not feeling well so I will not be directly lecturing today. Instead, today’s lecture will be a video lecture by Neil Daswani. A slide set that we will use as extra discussion following the video can be downloaded from Google | Lecture TBD | ||
| Week 16 | |||
| Go home, surf safely, have a nice summer!
- Mat Rosa
|
|||
| FINAL EXAM Officially the final exam is scheduled for May 4 at 8:10pm. I will be offering the exam, like last semester, early to those who wish to take it. See below. | |||
| Tue, Apr 27 | Thu, Apr 29 | ||
| Review of materials | Final Exam offered at 7:00-8:15pm | ||
| Finals Week | |||
| Read: New Security Concerns Floating Around in Cloud Computing | |||
| Tue, May 4 | |||
| Final Exam offered at 8:10-9:25pm | |||
| Resources | |||
| Textbooks | Required: Web Security Testing Cookbook by Paco Hope & Ben Walther O’Reilly Media, Ed. 1 (2008) ISBN-10: 0596514832 ISBN-13: 978-0596514839 Amazon link (new: $23, used: $13, list: $40)Recommended Security for Web Services and Service-Oriented Architectures by Elisa Bertino, et al Springer, Ed. 1 (2009) ISBN-10: 354087741X ISBN-13: 978-3540877417 Amazon link (new: $70, used: $60, list: $68) Developer’s Guide to Web Application Security, Michael Cross by Michael Cross |
||
SocialStuff
Quick Lists
- Art Institute of Las Vegas
- IMD123: Program Logic »
- IMD213: Intermediate Scripting (SP09) »
- IMD223: Advanced Scripting (SU08) »
- IMD322: Dynamic Design (WI09) »
- IMD325: User Centered Design (WI09) »
- IMD335: Usability Testing (SP09) »
- IMD335: Usability Testing (SP08) »
- IMD345: UCD Integration (SU08) »
- IMD375: Databases (FA09) »
- IMD402: Server-Side Technology (WI09) »
- Independent Studies (SU08) »
- University of Nevada, Las Vegas
- INF400: Web Security »
- INF340: Web Design Concepts »
- IMD213: Intermediate Scripting
- IMD322: Dynamic Design
- IMD335: Usability Testing
- Save UNLV Informatics
- Why Can't Programmers Program?
- Designer, Developer or Deity?
- Top Ten Mistakes in Web Design
Yummy Delicious
Meanwhile on Flickr ... [Web Ultimate Pool]
Reading Recommendations
- Art & Science of CSS by Jonathan Snook, Steve Smith, Jina Bolton, Cameron Adams & David Johnson
- Everything You Know About CSS is Wrong! by Rachel Andrew and Kevin Yank
- The Long Tail (updated version) by Jason Baeird
- Beautiful Web Design by Chris Anderson
- The Future of the Internet and How to Stop It
by Jonathan Zittrain - The Namesake by Jhumpa Lahiri
- The Overcoat and Other Short Stories
by Nikolai Gogol - We The Living by Ayn Rand
- Everything is Miscellaneous by David Weinberger
- Danny The Champion of the World by Roald Dahl
- Successful Freelancing by Miles Burke
- PHP for the World Wide Web by Larry Ullman
- Advanced PHP for the World Wide Web
by Larry Ullman