| [Site home] |
| [Site map] |
| [Downloads] |
| [Bulletin board] |
| [Projects] |
|
Lectures: 11 weeks with two sessions per week and 1.5 hours per session. Contents: The course describes attacks exploiting common vulnerabilities in computer systems and shows how the use of risk management techniques can increase the security of these systems. The course is partly based on material found in the two textbooks shown on the right. Required reading must be done before class. In-class time will be divided between lectures and discussions. The first part of the course analyzes attacks exploiting vulnerabilities in computer systems. Examples are cross-site scripting, SQL injection, cross-site request forgery, and denial-of-service attacks. One lecture also considers closed-circuit TV systems, location based services, and the identity theft problem. The second part of the course discusses authentication techniques and introduces Public-Key Infrastructures (PKIs). It is shown how a PKI can be combined with the widely used SSL protocol to provide authentication, integrity, and confidentiality services. The third part gives an introduction to security risk management. Several large examples illustrate the most important steps in the risk management process. The examples consider both technical, judicial, and usability aspects of risk management. In particular, it is explained why the poor usability of SSL simplifies phishing attacks. The fourth and final part of the course builds on the knowledge gained earlier to develop the architecture of a framework for secure client-server applications. The framework supports thin clients such as smartphones. Lecture slides on download page. Recommended qualifications: A basic understanding of wired networks, including the TCP/IP protocols and the OSI (Open Systems Interconnection) reference model. EthicsThe course staff may demonstrate attacks to give you a better understanding of how to protect systems. We will also discuss how it may be possible for crackers to successfully attack systems of national importance and cause serious damage. We will only discuss attacks that are known to the security community. In no way should these discussions be seen as an encouragement to carry out a real attack. Any such activity is a gross violation of the trust the course staff have shown you by accepting you as a student. Last updated 24.10.09. Webmaster KJH |
see larger photo
see larger photo