References
Highly Recommended Textbooks
-
[StallingsBrown] Computer Security: Principles and Practice (3rd Edition) by William Stallings and Lawrie Brown, Publisher: Prentice Hall, 2014. http://www.amazon.com/Computer-Security-Principles-Practice-3rd/dp/0133773922
A close substitution for the above book is:
-
[Stallings13] William Stallings, Cryptography and Network Security, 6th Edition, Prentice Hall, 2013. (This book provides comprehensive, academic textbook-style writings on the subject including detail technical descriptions of the algorithms and protocols. A bit too terse as an overview; better serves as a technical reference. Early editions of this book would still be useful.)
-
[Skoudis] Counter Hack Reloaded: A Step-by-step Guide to Computer Attacks and Effective Defenses (2nd Edition) by Ed Skoudis and Tom Liston. Publisher: Prentice Hall, 2005.
-
[GoodrichTamassia11] Introduction to Computer Security by Michael Goodrich and Roberto Tamassia, Published by Pearson Higher Education, 2011. https://www.amazon.com/Introduction-Computer-Security-Michael-Goodrich/dp/0321512944
It offers an up-to-date, comprehensive introduction to the non-crypto aspects of computer/system security.
-
[PaarPelzl10] Understanding Cryptography: A Textbook for Students and Practioners by Christof Paar and Jan Pelzl, Published by Springer, 2010.
Fulltext available as ebook via CUHK library; An excellent introductory text for Cryptography; well-balanced between mathematical vigor and engineering intuition for many modern practical crypto algorithms.
-
[Stuttard11] The Web Application Hacker’s Handbook - Discovering and Exploiting Security Flaws, 2nd Edition by Dafydd Stuttard and Marcus Pinto, Published by Wiley, 2011.
-
[Kaufman02] Charlie Kaufman, Radia Perlman, Mike Spenciner, Network Security, 2nd Edition by Dafydd Stuttard and Marcus Pinto, Published by Prentice Hall, 2002. (The authors are all well-known designers/architects of key security protocols/systems widely deployed in practice. The book provides excellent insights on the technical details and rationale behind the design of the protocols/algorithms. The technical depth may overwhelm casual, non-technical readers though.)
Additional References
- [Anderson08] Ross Anderson, “Security Engineering, 2nd Edition” Wiley, 2008.
- [Mel] Cryptography Decrypted by H.X.Mel and Doris M.Baker. Publisher: Addison Wesley, 2000.
- [Menezes96] Alfred J. Menezes, Paul C. Van Oorschot, Scott A. Vanstone, “Handbook of Applied Cryptography”, CRC Press, 1996. A precise, mathematical-oriented reference. The entire manuscript can be freely downloaded for personal use from https://cacr.uwaterloo.ca/hac/
- [Schneier96] Bruce Schneier, Applied Cryptography, 2nd Edition, Wiley, 1996. (A classical must-read for people who are serious in working in the area of cryptography.)
- [Northcutt05] Stephen Northcutt et al, Inside Network Security Perimeter, 2nd Edition, New Riders, 2005. (Provides excellent intermediate/advanced treatments on technologies and network planning issues including VPNs, Firewalls, Intrusion detection; a must read for someone who wants to design/setup a secure network perimeter).
- [McClure09] Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed, 6th Edition, McGrawHill Osborne, 2009. (One of the books in the best-selling “Hacking Exposed” series. A must-read for those who wants to understand the bolts and nuts of the latest vulnerabilities and exploits of real-world systems and networks. )
- [Garfinkel02] Simon Garfinkel, Gene Spafford, Web Security, Privacy and Commerce, 2nd Edition O’Reilly, 2002. (Easy to read, informative and up-to-date discussions on the subject captioned. One of the strength is its coverage on the security-related services, products available in the real world. ).
- [Viega02] John Viega and Gary McGraw, Building Secure Software, Addison Wesley, 2002. (A must-read for software developers/ system architects who wants to build secure software).
- [Cheswick03] William R. Cheswick, Steven M. Bellovin and Aviel D. Rubin, Firewalls and Internet Security, 2nd Edition, Addison Wesley, 2003. (Intended for intermediate/advanced level audience. Provide informative and interesting technical details.)
- [Liska03] Allan Liska, The Practice of Network Security, Prentice Hall, 2003. (A down-to-earth, good collection of practical networking/ protocol security pitfalls and configuration strategies.)
- [Stein98] Lincoln D. Stein, Web Security, Addison Wesley, 1998. (Written by the author of the WWW FAQ. A good, easy-to-read introduction to practical web security problems. Include the bolts and nuts of real-life vulnerabilities and exploits. Very informative, but a bit outdated).
- [Rubin01] Aviel D. Rubin, White-Hat Security Arsenal, Addison Wesley, 2001. (Written in a problem-solving style to discuss solutions for various security related tasks faced by an enterprise. Intermediate/advanced level).
- [Stallings11] William Stallings, Cryptography and Network Security, 5th Edition, Prentice Hall, 2011. (Provides comprehensive, academic textbook-style writings on the subject including detail technical descriptions of the algorithms and protocols. A bit too terse as an overview; better serves as a technical reference.)
- [Burnett01] Steve Burnett and Stephen Paine, RSA Security’s Official Guide to Cryptography, RSA Press, 2001. (Provides high-level descriptions on cryptography basics without getting into the technical details/mathematics).
- [Grimes01] Roger A. Grimes, Malicious Mobile Code, 2001, O’Reilly Press. (Detail Coverage of Hostile Mobile codes for Windows-based systems).
- [Anonymous03] Anonymous, Maximum Security, 4th Edition, SAMS, 2003. (A collection of chapters written by different authors, covering a wide range of practical network/system security issues)
- [Pfleeger06] Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing, 4th Edition, Prentice Hall, 2006. (Describing security issues from a computing perspective.)
- [O’Neill03] Mark O’Neill, et al., Web Services Security, Wiley, 2003. (Provides an overview on the issues and enabling technologies for secure Web Services.)
- [Eastlake03] Donald E. Eastlake III and Kitty Niles, Security XML, Addison Wesley, 2003 (provides details about security features in XML).
- [Mitnick02] Kevin D. Mitnick and William L. Simon, The Art of Deception, Wiley, 2002. (Kevin Mitnick was a high-profiled convicted hacker. The book provides first-hand insights on how “social engineering” is used to achieve security breaches of all types.
- [Ferguson03] Niels Ferguson and Bruce Schneier, Practical Cryptography, Wiley, 2003. (A sequel to the classic by Bruce Schneier. It provides key insights on the design and implementation of real world secured systems.)
- [Schneier04] Bruce Schneier, Secrets and Lies - Digital Security in a Networked World, Wiley, 2004. (An essay-style writing providing reflections on social, political and other not-so-technical aspects of security, privacy issues.)
- [Ford01] Warwick Ford and Michael S. Baum, Secure Electronic Commerce, 2nd Edition, Prentice Hall, 2001. (Very readable introduction to protocols and systems designed for securing electronic commerces).
- [Peikari03] Cyrus Peikari and Seth Fogie, Wireless Maximum Security, SAMS, 2003. (Focuses on practical vulnerabilities and exploits for 802.11 Wireless LAN systems.)
- [Heiderich11] Mario Heiderich et al, Web Application Obfuscation, Syngress press, 2011.
- [Clarke09] Justin Clarke, SQL Injection - Attacks and Defense, Syngress press, 2009.
- [Smith07] Sean Smith and John Marchesini, The Craft of System Security, Addison Wesley, 2007.
- [Rescoria01] Eric Rescoria, SSL and TLS, Addison Wesley, 2001. (Provides authoritative treatment on the detail technical design of the captioned protocols.)
- [Barman01] Scott Barman, Writing Information Security Policies, New Riders, 2001. (A good introduction about writing security policies.)
Additional References Pointers by Topic
- Attacking Tor: how the NSA targets users’online anonymity
- Headers leak 120,000 student records in raid on world’s top universities
- Malware inserted on PC production lines, says study
Intrusion Detection Systems
Forensic Analysis
Novel Attack
Web Application Security/Cross-Site scripting (intro)
- OWASP Top 10 2021
- OWASP Top 10 2017
- OWASP Top 10 Mobile Risks 2016(RC)
- OWASP Top 10 in 2013
- OWASP 2007
- OWASP 2004
- Stanford Web Security Research
- GNUCITIZEN
- The Web Hacking Incident Database
- Browser Security Handbook
- XSS
- XSS, Cookies, and Session ID Authentication - Three Ingredients for a Successful Hack
- Cross Site Scripting Attacks: Xss Exploits And Defense
- XSS Theory
- Web Security from Google Code University
- XSS overview
Attack Patterns
General FAQs and Security Related Resources
- CERT/CC Malicious Web Scripts FAQ
- WWW Security FAQ
- Technical Resources and Course Web Site for Cryptography and Network Security: Principles and Pratice, Second Edition
- The book Security Engineering: A Guide to Building Dependable Distributed Systems by Ross J. Anderson, publisher: Wiley
- RFC2196: Site Security Handbook
Cryptography
- RSA Laboratories Cryptography FAQ
- COPACOBANA: How to Break DES for 8980 Euros
- THE STORY OF NON-SECRET ENCRYPTION
- How easy is collision search? Application to DES.
- How easy is collision search. New Results and Application to DES.
- M.M.J. Stevens. https://marc-stevens.nl; in particular, his PhD thesis: “Attacks on Hash Functions and Applications” P.1-258, 2012. Attacks on Hash Functions and Applications, Marc Stevens, PhD thesis, (PDF).
- Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate
- MD5 Birthday Attack demonstration
Authentication Protocols Design, Mistakes and Lessons Learned
- Using Encryption for Authentication in Large Networks of Computers
- Authentication Revisited
- Prudent Engineering Practice for Cryptographic Protocols
- Programming Satan’s Computer
Network and System Security
- An Attack on the Needham-Schroeder Public-Key Authentication Protocol
- Dan Kaminsky DNS poisoning attacks
- The “full-disclosure” security mailing list
- Sniffing (network wiretap, sniffer) FAQ
- Home Network Security
- Building Internet Firewalls: Chapter 13: Internet Services and Firewalls of a book published by O’Reilly
- Top 125 Network Security Tools
- Googling Master Passwords for Automatic Teller Machines
- The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software
Buffer Overflow Attacks and Defenses
- Smashing the Stack for Fun and Profit by Aleph One
- Z Liang, R Sekar, “Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models”, Computer Security Applications Conference, 21st Annual, 2005
- J Pincus, B Baker, “Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns”, IEEE Security & Privacy, 2004
- C Cowan, S Beattie, J Johansen, P Wagle, “PointGuardTM: Protecting Pointers From Buffer Overflow Vulnerabilities”, Proc. of the 12th Usenix Security Symposium, 2003
- C Cowan, P Wagle, C Pu, S Beattie, J Walpole, “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade”, Foundations of Intrusion Tolerant Systems, 2003
- X Wang, CC Pan, P Liu, S Zhu, “SigFree: A Signature-free Buffer Overflow Attack Blocker”, Proceedings of the 15th conference on USENIX Security Symposium
- E Buchanan, R Roemer, H Shacham, S Savage, “When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC”, Proceedings of the 15th ACM conference on Computer and Communications Security
- J Wilander, M Kamkar, “A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention”, Proceedings of the 10th Network and Distributed System Security Symposium
Heap Overflow Attacks
String Formatting Attacks
IPSec
Wireless LAN Security
- Wireless LAN 802.11b Security FAQ
- Jesse Walker’s paper titled “Unsafe at any key length”
- Ch6. Circumventing Security MeasuresThe book Hack Proofing Your Wireless Network, by Neal O’Farrell,SYNGRESS
- Nancy Cam-Winget, Russ Housley, David Wagner and Jesse Walker, Security Flaws in 802.11 Data Link Protocols , Communications of the ACM, May 2003, Vol. 46, No. 5.
- Presentations, 1, 2, 3 on Wireless LAN security by a group of graduate students (Tzachy Reinman, Roy Werber and Bracha Hod) for a class in Hebrew University:
GSM Security
- The paper led to the above news article: Elad Barkan, Eli Biham, Nathan Keller,
- Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication (.ps), CS-2003-05, Proceedings of Crypto 2003.
- Presentations, 4, 5, 6 on GSM Security by a group of graduate students (Yuri Sherman, Max Stepanov, Gregory Greenman) for a class in Hebrew University:
- “A precis of the new attacks on GSM encryption”, Gre Rose, 10, Sep 2003
Web Services
- Web Services Security
- Gokhale, B.Kumar, A.Sahuguet, “Re-inventing the Wheel? CORBA vs Web Services”, in the proceedings of WWW 2002.
Apache Web Server Digest-based Authentication
- Digest Authentication in Apache 1.3
- User authentication using MD5 Digest Authentication in Apache 2.0
- RFC2617: HTTP Authentication: Basic and Digest Access Authentication
Lecture Notes Acknowledgments
The Lecture notes used in this course have incorporated materials and/or adapted from the following sources:
The contribution and copyrights of the original authors are hereby acknowledged and recognized.
- Kurose and Ross, “Computer Networking – a top down approach featuring the Internet 2nd Edition, Chapter 7”
- William Stallings, “Cryptography and Network Security, 3rd Edition”
- Simon Garfinkel, Gene Spafford, “Web Security, Privacy and Commerce, 2nd Edition”
- Charlie Kaufman, Radia Perlman, Mike Spenciner, “Network Security, 2nd Edition”
- Lincoln D. Stein, “Web Security”
- Ed Skoudis,“CounterHack”
- Stever Burnett, Stephen Paine,“RSA Security’s Official Guide to Cryptography”
- Prof. Kris Gaj, George Mason University
- Prof. Vincent Costa, Hofstra University
- Prof. Henric Johnson Blekinge, Institute of Technology
- Prof. Henning Schurzinne of Columbia University
- Prof.Wenke Lee of Georgia Tech
- Prof. Felix Wu, UC Davis
- Prof. Yehuda Afek, Tel Aviv University
- CERT/CC CMU
- Jochen Schiller, “Mobile Communications,” 2nd Edition, Addison Wesley
- Jesse Walker, Intel corp.
- James Kempf, DoCoMo Labs U.S.A.
- Prof. Wayne Dyksen, Dept of CSE, Michigan State University
- Drs. Lucas Hui, K.P. Chow, Dept of CS, The University of Hong Kong
- Hon Ching Lo, Dept of CS, Clarkson University
- Nancy Cam-Winget, Russ Housley, David Wagner and Jesse Walker, “Security Flaws in 802.11 Data Link Protocols,” Communications of the ACM, May 2003, Vol. 46, No. 5.