Network Systems Security

CPSC 526 - Network Systems Security

Attacks on networked systems, tools and techniques for detection and protection against attacks including firewalls and intrusion detection and protection systems, authentication and identification in distributed systems, cryptographic protocols for IP networks, security protocols for emerging networks and technologies, privacy enhancing communication. Legal and ethical issues will be introduced.

The lectures for this course run concurrently with CPSC626.

Course Policies

For the complete list of course policies, grading scheme, and tentative list of topics, please refer to the official course outline: http://www.cpsc.ucalgary.ca/custom/undergrad/outlines2015/w15/cpsc526and626_winter2015.pdf

Textbook

Network Security: Private Communication in a Public World, 2nd Edition by Charlie Kaufman, Radia Perlman, and Mike Speciner

A few supplemental textbooks (not required at all, just further reading or background for those interested)

• Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier
• The Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone
• Unix Network Programing by W. Richard Stevens et al. http://books.google.ca/books/about/UNIX_Network_Programming.html?id=ptSC4LpwGA0C&redir_esc=y
• Interconnections: Bridges, Routers, Switches, and Internetworking Protocols, 2nd Edition http://www.informit.com/store/interconnections-bridges-routers-switches-and-internetworking-9780201634488

Grades

• HW1 - 250 points
• HW2 - 250 points
• Roving Assignment - 100 points
• Midterm Exam - 100 points (March 9th)
• Final Exam - 300 points

CPSC 626

• http://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Winter/626/grad-project.txt

Communication

We will not use D2L. Instead, we will use Piazza for class communication.

This term we will be using Piazza for class discussion. The system is highly catered to getting you help fast and efficiently from classmates, the TA, and myself. Rather than emailing questions to the teaching staff, I encourage you to post your questions on Piazza. If you have any problems or feedback for the developers, email team@piazza.com.

Find our class page at: https://piazza.com/ucalgary.ca/winter2015/cpsc526/home

Lecture Schedule

Please see the University Academic Calendar for important add/drop dates, holidays, etc.

Courses/Computer_Science/CPSC_526.W2015/Lecture Notes

This section contains the class session notes.

Tutorial Schedule

Here is the (tentative) schedule of tutorial topics.

Courses/Computer Science/CPSC 526.W2015/Tutorial_Schedule

Misc Links and Security "In the News"

• http://www.getcybersafe.gc.ca/index-eng.aspx
• http://www.wired.com/2015/03/clintons-email-server-vulnerable/
• http://www.foxnews.com/tech/2014/11/07/business-payroll-systems-increasingly-vulnerable-to-hackers/?intcmp=ob_homepage_tech&intcmp=obnetwork
• http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-certificates-trusted-by-almost-all-oses/
• re: "Threat Intelligence" http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13
• http://www.zdnet.com/article/facebook-offering-up-to-300k-in-awards-for-internet-defense-contest/
• http://www.wired.com/2014/11/michael-daniel-no-zero-day-stockpile/
• https://www.linkedin.com/pulse/security-researchers-anatomy-ryan-smith
• http://www.macdevcenter.com/pub/a/mac/2005/03/15/firewall.html
• http://www.ibiblio.org/macsupport/ipfw/
• http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24062-146.html
• network telescope: http://www.caida.org/projects/network_telescope/
• https://github.com/silviocesare/Fuzzer

• http://www.foxnews.com/politics/2015/04/07/report-russia-behind-2014-cyber-hack-on-executive-office-computer-system-got/
• http://www.foxbusiness.com/technology/2014/11/24/as-computer-hackers-show-cars-can-be-commandeered-feds-and-automakers-aim-to/
• http://arstechnica.com/information-technology/2015/03/atts-plan-to-watch-your-web-browsing-and-what-you-can-do-about-it/
• http://www.cbc.ca/news/multimedia/from-hacking-to-attacking-a-look-at-canada-s-cyberwarfare-tools-1.3003447
• http://www.foxnews.com/tech/2014/12/30/steam-chat-spreading-dangerous-malware/?intcmp=ob_article_footer_text&intcmp=obinsite
• www.foxbusiness.com/industries/2014/12/18/digital-currencies-fueling-crime-on-dark-side-internet/
• www.foxnews.com/tech/2014/12/11/ford-ditches-microsoft-for-its-in-car-software/?intcmp=ob_article_footer_text&intcmp=obnetwork
• http://www.foxbusiness.com/technology/2014/11/20/rights-groups-release-tool-that-checks-computers-for-government-spy-software/?intcmp=ob_article_footer_text&intcmp=obinsite
• www.foxnews.com/entertainment/2014/12/15/sony-warns-some-media-outlets-to-stop-reporting-on-hacked-information/
• http://www.foxnews.com/leisure/2014/12/11/coffee-loving-hackers-decode-keurigs-secure-new-machines/?intcmp=ob_article_footer_text&intcmp=obnetwork
• www.foxbusiness.com/technology/2014/12/03/hackers-using-fake-order-confirmation-emails-to-hijack-computers/?intcmp=ob_article_footer_text&intcmp=obinsite
• www.foxbusiness.com/technology/2014/12/03/amid-debate-cyber-experts-cite-similarities-between-sony-attack-and-2013-hacks/?intcmp=ob_article_footer_text&intcmp=obinsite
• http://www.foxnews.com/politics/2014/11/25/amid-hacking-attack-state-department-info-security-still-in-shambles/?intcmp=latestnews
• www.foxnews.com/politics/2014/11/20/nsa-director-china-can-damage-us-power-grid/
• www.foxnews.com/tech/2014/10/28/samsung-knox-for-android-unsafe-to-use-researcher-says/
• http://www.foxnews.com/world/2015/03/17/south-korea-points-finger-at-north-korea-in-nuclear-operator-cyberattack/?intcmp=latestnews
• https://www.apple.com/support/security/pgp/
• http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#traditional
• http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/
• https://wiki.debian.org/SELinux/Setup
• http://arstechnica.com/security/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question/
• http://www.foxnews.com/tech/2015/04/15/gao-reports-warns-hackers-could-bring-down-plane-using-passenger-wi-fi/

• openvpn:
  • http://openvpn.net/index.php/open-source/documentation/howto.html#pki
  • http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
  • https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Readme.md
• Java crypto
  • http://www.webapper.com/blog/index.php/2007/02/09/troubleshooting-javaxnetsslsslhandshakeexception/
  • http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#Cipher

• Fedora various
  • http://docs.fedoraproject.org/en-US/Fedora/21/html/Installation_Guide/sect-preparing-boot-media.html
  • signing keys: https://getfedora.org/en/keys/
  • defensive coding: https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html
  • https://getfedora.org/verify

• Kerberos
  • http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx
  • https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
  • https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit

Question of the Day (QoD)

• Jan 14: CryptoPro asks "What is the most practical way to protect a network?"
  • see notes in lecture
• Jan 16: Beenz asks: "Networks are distributed. Then how do organizations such as NSA or China's censorship agency monitor these distributed networks in a centralized fashion?
  • http://www.fcc.gov/encyclopedia/communications-assistance-law-enforcement-act
  • EFF-related material on the Golden Shield: https://www.eff.org/deeplinks/2011/08/cisco-and-abuses-human-rights-china-part-1
  • http://www.wired.com/2013/06/nsa-whistleblower-klein/
  • http://www.submarinecablemap.com/
  • EFF's pages on "Surveillance Self-Defense" https://ssd.eff.org/

[michael@gondolin QoDs]$ traceroute www.iust.ac.ir
traceroute to www.iust.ac.ir (194.225.230.88), 64 hops max, 52 byte packets
 1  192.168.20.1 (192.168.20.1)  0.515 ms  0.227 ms  0.235 ms
 2  sevengate.cs.ucalgary.ca (136.159.7.1)  0.655 ms  0.555 ms  0.479 ms
 3  * * *
 4  * * *
 5  pc187.hidden.ucalgary.ca (136.159.253.187)  354.563 ms *  2.910 ms
 6  10.0.10.2 (10.0.10.2)  2.110 ms  1.681 ms  2.262 ms
 7  10.16.242.4 (10.16.242.4)  6.467 ms  1.889 ms  2.117 ms
 8  h66-244-233-17.bigpipeinc.com (66.244.233.17)  2.424 ms  2.510 ms  2.025 ms
 9  ra2so-ge3-1-71.cg.bigpipeinc.com (206.174.203.105)  7.114 ms  2.953 ms  2.214 ms
10  66.163.71.101 (66.163.71.101)  3.157 ms  3.439 ms  6.755 ms
11  rd1so-ge15-0-0.cg.shawcable.net (66.163.71.89)  3.685 ms
    rc2so-tge0-4-0-9.cg.shawcable.net (66.163.71.117)  2.870 ms  2.659 ms
12  66.163.72.86 (66.163.72.86)  14.863 ms
    66.163.72.94 (66.163.72.94)  14.591 ms
    66.163.73.78 (66.163.73.78)  14.416 ms
13  xcr1.pal.cw.net (198.32.176.120)  47.410 ms  49.702 ms  51.127 ms
14  xe-8-0-0-xcr1.nyk.cw.net (195.2.28.17)  196.748 ms
    195.2.30.249 (195.2.30.249)  266.636 ms
    xe-2-0-0-xcr2.ash.cw.net (195.2.28.5)  178.191 ms
15  ae9-xcr1.bkl.cw.net (195.2.25.21)  178.232 ms
    xe-2-0-0-xcr2.ash.cw.net (195.2.28.41)  170.280 ms
    ae9-xcr1.bkl.cw.net (195.2.25.21)  175.312 ms
16  ae0-xcr1.ash.cw.net (195.2.30.45)  169.770 ms
    ae2-xcr2.lnd.cw.net (195.2.21.217)  271.515 ms
    ae0-xcr1.ash.cw.net (195.2.30.45)  170.159 ms
17  ae3-xcr2.lsw.cw.net (195.2.28.182)  274.236 ms
    ae10-xcr1.prp.cw.net (195.2.25.210)  182.074 ms
    ae3-xcr2.lsw.cw.net (195.2.28.182)  267.040 ms
18  ae5-xcr1.fri.cw.net (195.2.21.114)  171.566 ms  187.276 ms  175.481 ms
19  ae5-xcr1.fri.cw.net (195.2.21.114)  174.616 ms  163.267 ms
    ae7-xcr1.fra.cw.net (195.2.25.174)  272.651 ms
20  * ae5-xcr1.fri.cw.net (195.2.21.114)  269.485 ms
    delta-gw2.fri.cw.net (208.175.236.78)  232.989 ms
21  * delta-gw2.fri.cw.net (208.175.236.78)  340.994 ms *
22  * 194.225.151.6 (194.225.151.6)  274.979 ms  271.348 ms
23  po-1.nia-sw-150-10.ipm.core-1.iranet.ir (194.225.150.10)  278.148 ms
    194.225.151.6 (194.225.151.6)  262.069 ms
    85.132.60.74 (85.132.60.74)  344.910 ms
24  194.225.151.6 (194.225.151.6)  354.951 ms
    po-1.nia-sw-150-10.ipm.core-1.iranet.ir (194.225.150.10)  248.568 ms
    194.225.225.254 (194.225.225.254)  271.829 ms
25  194.225.225.254 (194.225.225.254)  265.357 ms  253.429 ms
    po-1.nia-sw-150-10.ipm.core-1.iranet.ir (194.225.150.10)  320.344 ms
26  * * *
27  * 194.225.228.77 (194.225.228.77)  271.827 ms  260.227 ms
28  * * *
29  * * *

• Jan 19: Cosmonaut asks: "What is NAT? What do the different types mean?"
  • Network Address Translation. Bridged/none, source NAT (many hosts share one IP address), destination NAT (e.g., port forwarding)
  • http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-2.html#ss2.1
  • for the curious: "A Technique for Counting NATed Hosts" https://www.cs.columbia.edu/~smb/papers/fnat.pdf

• Feb 13: Salamander asks: "How useful is the so-called "Christmas Tree" scan?"
  • packet capture picture
  • On the subject of weird packets, we have previously discussed the "Ping-of-death"
    • https://web.archive.org/web/19981206105844/http://www.sophist.demon.co.uk/ping/
    • http://insecure.org/sploits/ping-o-death.html

From the nmap man page:

          These three scan types [NULL, Fin, Xmas] are exactly the same in behavior except for
          the TCP flags set in probe packets. If a RST packet is received,
          the port is considered closed, while no response means it is
          open|filtered. The port is marked filtered if an ICMP unreachable
          error (type 3, code 1, 2, 3, 9, 10, or 13) is received.

          The key advantage to these scan types is that they can sneak
          through certain non-stateful firewalls and packet filtering
          routers. Another advantage is that these scan types are a little
          more stealthy than even a SYN scan. Don´t count on this though—most
          modern IDS products can be configured to detect them. The big
          downside is that not all systems follow RFC 793 to the letter.

• March 18:
  • Q1
  • Q2
  • Q3
  • Q4