COMP 116: Introduction to Computer Security (ONLINE)
Tufts University Department of Computer Science, Summer Session B
- Ming Chow, email@example.com
- For emergencies or private matters, please e-mail or see me directly.
- COMP 15. Strongly recommended that you have taken COMP 40. Please disregard prerequisites listed in the University's bulletin as they are incorrect!
Hardware and Software for This Class (on your personal computer)
- A modern web browser (e.g., Firefox, Google Chrome, Chromium, Safari, Microsoft Edge)
- A command line interface to run Unix/Linux commands
Strongly Recommended Requirements
- Labs (75%)
- Quizzes (15%; there will be two --on week 2 and on week 6)
- Participation (including Weekly Readings and Debates) (10%)
Week 1: Networking and Attacking Networks
By the end of this week, you will be able to dissect packet captures (PCAPs), perform network reconnaissance and port scanning, understand the methods of conducting a distributed denial of service attack (DDoS).
- What is Security?
- The Attribution Problem
- How two computers talk to each other
- The OSI Model
- Internet Protocol (IP)
- Transfer Control Protocol (TCP)
- A Packet and PCAPs
- Promiscuous Mode
- Address Resolution Protocol (ARP)
- ARP Spoofing
- Scanning and Network Reconnaissance
- Ping Sweep
- Stealthy Scans
- Distributed Denial of Service (DDoS)
- DDoS: Teardrop
- DDoS: SYN flood
- DDoS: Amplification
Week 2: Cryptography
By the end of this week, you will be able to extract credentials sent insecurely via plaintext over the network, detect stealthy scans and other suspicious activities on your network, crack passwords on a Linux or Windows system, understand the difference between symmetric and asymmetric cryptography, understand and use one-way hash functions, understand how Transport Layer Security (TLS) works, intercept HTTPS traffic with a proxy, understand how and how not to store users' passwords.
- The Golden Rule
- One Time Pad (OTP)
- Symmetric Algorithms
- One Way Hash Functions
- Applications of One Way Hash Functions
- Asymmetric Algorithms
- Applications of One Asymmetric Algorithms
- Transport Layer Security (TLS) and How HTTPS Works
- John the Ripper
- Python and Scapy
- THC Hydra
Week 3: Web Security
By the end of this week, you will be able to perform and defend against the following attacks: Cross-Site Scripting (XSS), SQL injection, Cross-Site Request Forgery (CSRF), session hijacking, cookie tampering, directory traversal, command injection, remote and local file inclusion.
- How the web works
- HTTP (HyperText Transfer Protocol)
- OWASP Top 10
- CWE/SANS TOP 25 Most Dangerous Software Errors
- Vulnerable Web Applications to Practice On
- Web Proxies
- The Principle of Least Privilege
- Hard-Coded Credentials
- Cross Site Scripting (XSS)
- SQL Injection
- Cross Site Request Forgery (XSRF / CSRF)
- Command Execution
- Directory Traversal
- Cookie Tampering
- Remote and Local File Inclusion
- Burp Suite
- zaproxy (OWASP ZAP)
Week 4: The Capture The Flag Game
By the end of this week, you will be able to take advantage of a number of vulnerabilities on a live web server.
Week 5: Vulnerabilities, Static and Dynamic Analysis
By the end of this week, you will be exposed to and understand the difference between CVE and CWE, be able to scan for vulnerabilities, use static analysis software to identify vulnerabilities, understand the difference between static and dynamic analysis, and be able to write a technical risk analysis.
- Common Vulnerabilities and Exposures (CVE)
- Common Weakness Enumeration (CWE)
- National Vulnerability Database
- Vulnerability Scanning
- The badness-ometer
- Static Analysis
- Dynamic Analysis
- Strengths and Weaknesses of Static and Dynamic Analysis
- Technical Risk Analysis
- Exploit Database
Week 6: Malware
By the end of this week, you will be able to describe types of malware, see certain malware behaviors, scan and analyze malware, reverse engineer Android apps to determine if they are malicious.
- Trojan Horse
- Using VirusTotal
- Android Malware
Topics That Will Not Be Covered In This Course
- Social Engineering
- x86, x64, ARM Reverse Engineering
Workload: All The Lab with Expected Length and Difficulty
- Lab 1: Working with the Command Line, Week 1, Short (1 hour max) to Medium (2 - 3 hours)
- Lab 2: Packet Sleuth, Week 1, Short to Medium
- Lab 3: Scanning and Reconnaissance, Week 1, Very short (30 minutes). NOTE: This lab cannot be made publicly available because an actual target is used.
- Lab 4: GRIZZLY STEPPE, Week 2, Short
- Lab 5: The Password Cracking Contest, Week 2 Due End of Semester, Good luck with that --I will be extremely surprised if anyone can break all passwords
- Lab 6: Incident Alarm, Week 2, Long (over 3 hours)
- Lab 7: The XSS Game, Week 3, Very short
- Lab 8: Gain Access to Website, Week 3, Very short. NOTE: This lab cannot be made publicly available because an actual target is used.
- Lab 9: The Fuzzer, Week 3, Short to Long
- Lab 10: The CTF Game, you have one full week to play. NOTE: This lab cannot be made publicly available because an actual target is used.
- Lab 11: Technical Risk Analysis and Static Analysis, Week 5, Short to Medium. NOTE: This lab cannot be made publicly available because an actual target is used.
- Lab 12: Android Malware Analysis, Week 6, Short to Medium
All labs for a given week are due on the following week on a Wednesday at 11:59 PM (so yes, a week-and-a-half to do all labs for a week). The new week will be made available on Monday morning at 10 AM. Late labs are not accepted.
Expectations and Structure of This Online Course
This course will be a fun one for sure. A few notes on the expectations and structure of this course:
1. What this course will NOT have and what I will NOT do:
- Have set office hours.
- Require students to meet online during specific times.
- Require students to work in teams, a semester group project.
- Require students to physical meet at the Tufts Medford Campus.
There are many good reasons why I will not do any of the above items:
- It's summertime. Many of you have commitments and plans already scheduled (e.g., vacation, dinners, weddings, conferences, family get-togethers).
- A number of you are working (full-time or internship). That's more important as people need to live, eat.
- Some students are taking this course abroad. Thus, there are time zone differences.
Adding constraints and extra burden to your lives especially during the summer will not fit well with anyone. Extra constraints and burden also defeat the purpose of an online course. Thus, you will probably not see me at all this summer.
2. You are on your own pace.
You can choose to:
- Pace yourself during the week
- Do everything during the weekend
- Do everything during the last minute
- Don't do any of the work
Your choice, but the latter three choices are not wise.
3. You are responsible for your own learning.
A very important point: if you want everything gone over in lecture or in notes, then this is not the course for you. More importantly, that's not how things work in real life.
4. You will learn by doing.
Each week, there will be at most three labs (and a quiz every other week) to hone your skills and to aim at the crux of the matter for the week. Here's an analogy: you don't learn how to cook simply by just reading cookbooks and watching YouTube videos. You learn by making, using your hands, and making mistakes.
5. You will learn by asking questions.
It is your responsibility to ask questions early and to ask for help...
6. ...and I expect the Piazza board to be very active and civil.
Share thoughts and respond to other people's questions. I will be online constantly, thus the idea of set office hours almost becomes moot point. It is no secret that I respond very quickly unless I need to be away.
There is a very good post published by Northeastern University: "How To Be a Successful Online Learner." Link: https://www.northeastern.edu/graduate/blog/successful-online-learning-strategies/.