Assignment 1 Available

Assignment 1 is now posted on the web. Access is limited to Notre Dame users, so you'll have to log in with your NetID and password to access the file. It is due on September 15th at 11:45 in hard copy form. We'll be spending that day discussing the case study.

For quick reference, here are links to the two references you'll need:

• Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans
• Maureen Regan's Statement to the House Subcommittee on Oversight and Investigations

Hurricane Gustav and Information Security

What do you think is going on in the minds of information security professionals in Louisana right now as they prepare for Hurricane Gustav? That's a topic that would make for some excellent blog posts.

You might want to read the article Security Lessons from Katrina if you're interested in this topic.

You also might be interested in reading Disaster Recovery: The Time is Now. That article contains some insights from institutions of higher education, including our colleagues at Tulane, that were severely impacted by the storm.

We're also likely to see an upsurge in disaster scam spam in the aftermath of the storm if there is widespread destruction.

Case Studies

In order to provide a broad exposure to information security issues and events, each studentis expected to present one case study to the class during the course of the semester. The case study topics we'll tentatively cover each day are listed below. If you would like to cover a topic not appearing below, feel free to suggest something new and we'll cover it in class.

• 9/15: Veteran's Administration (we will discuss this one as a group)
• 9/17: Landline Hacking - Katie
• 9/22: Therac-25 - Scott
• 9/24: Open Topic
• 9/29: Monster.com - Dorian
  
• 10/1: Fake Subpoenas - VyVy
  
• 10/13: Norwegian ATMs - Jonathan
• 10/27: Open Topic - Derrell
  
• 11/3: Stock Spam - Brendan
  
• 11/5: ChoicePoint - Matt
  
• 11/12: HBR Case Study (we will discuss this as a group)
  
• 11/19: Epilepsy Foundation - Chris M., Open Topic - Megan
• 11/24: Lost Laptop - Lee
• 12/1: Hacking Jail - John
• 12/3: Hacking Digital Rights Management - Cassie

The topics above are linked to supporting materials, where available. You may need to do additional research to provide enough material to fill your class discussion time. Your talk should be about 10 minutes long and cover the following items:

• What happened?
• What is the root cause of the event?
• What would you have done differently?

Please select a topic by adding a comment to this blog post. First come, first served

Welcome to the Course Blog

This blog is designed for students in the Information Security course in Notre Dame's Computer Applications Program (CAPP 40260). You are expected to read this blog regularly and participate frequently. As discussed in the course syllabus, it will comprise a significant portion of your grade.

Blog Purpose

The blog has two purposes. First and foremost, it is a discussion venue for information security topics that we discuss in class or that you encounter in the real world. More on that in a second. I will also use this blog to disseminate information about the course, including assignments, lecture notes and other materials.

Accessing the Blog

There are two ways you can access the blog:

• Typing the blog URL (securitycourse.blogspot.com) into your web browser.
• Subscribing to the blog's RSS feed using a blog aggregator. I personally prefer Bloglines for this purpose, but there are many good alternatives.

Blog Participation

Your participation in this blog is an important part of the course and will play a role in determining your grade. You'll need to create a Google account (if you don't already have one) to create or comment on blog posts.

Important note: any posts or comments you make on this blog will be readable by anyone on the Internet. This includes your roommates, significant other, future spouse, employers and the CIA. For this reason, I don't expect that you will use your real name on your postings. It's perfectly acceptable to post under a pseudonym (which you can set using the Display name option in your Google Account). Just send me an e-mail letting me know what pseudonym you've adopted so I can track your participation for grading purposes.

I expect that, during the course of the semester, you will make at least one contribution per week (excluding Fall Break and Thanksgiving week). Those contributions may either original blog posts or substantial comments on another student's blog post. Your participation grade will depend much more on the quality of your posts than the quantity of your posts. Here are some additional guidelines:

• At least one contribution every month should be a full blog post (either a security review or a current event). This means that you should make at least 4 full posts during the course of the semester.
• At least one of the posts you make during the semester should be a security review.
• At least one of the posts you make during the semester should be a current event. Please do not create multiple full posts about the same event -- that's what comments are for!

The blog posts and comments will be an important part of our classroom discussions. Therefore, I expect that you will read each other's posts and comments before coming to each class session. Please be prepared to continue the blog discussion in the classroom.

Security Reviews

The goal of the security reviews is to help you develop a security mindset. To quote Bruce Schneier, "This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems."

In your security review postings, I'd like you to choose a particular technology (it doesn't need to be high technology!) and write a detailed evaluation of the security features of that technology. Your evaluation should include:

• A short (5-10 sentence) description of the technology with references, as appropriate.
  
• Explain the security goals that you would have for the technology if you were the owner. Reference this in terms of confidentiality, integrity and availability. Include a description of the asset(s) in question.
• Explain the goals you would have if you were an attacker attempting to exploit the technology. Explain this in terms of disclosure, alteration and denial. Include a description of the threat(s) that may exist.
  
• Describe any vulnerabilities you might identify in the technology. Are there weaknesses that you can see that an attacker might exploit? Describe a potential attack.
• Discuss the risk that you perceive is inherent in this technology based upon the asset's value, the threats and the vulnerabilities.
• Make a recommendation to the owner of the system regarding the appropriate risk management strategy (or mix of strategies) they should pursue based upon your risk assessment. Recall that the possible risk management strategies are risk avoidance, risk acceptance, risk mitigation and risk transference.
  

I encourage you to choose technologies for these reviews that you encounter in your everyday life. As you go about your day, look at systems in a new way: think through the eyes of a criminal. If you were trying to exploit a system, what would you do?

A University of Washington course followed a similar process and came up with some good reviews. Please note that the professor for that course used a different format than I am requesting you use. Highlights included:

• Apple's Time Capsule
• Smart Pillboxes May Be Too Smart
• Social Engineering Your Way Into a Dorm Room
• GM OnStar
• QuietCare Independent Living System
• (un)-Safe Deposit Box Security Review

Important note: You are being asked to evaluate the security of the technology, not test it. You should not attempt to do anything that may be illegal or unethical.

Current Events

Current Events postings are descriptions of a current event in the world of information security. These might be stories about security incidents that occur during the course of the semester, announcements of security vulnerabilities, or other interesting security news.

When you make a current events post, provide a link to the original article. Include in your post the following details:

• Brief summary of the event
• Thoughts on the actual or potential cause of the event (depending upon what information is available)
• Recommendations on how the affected individuals/organization should respond to the event. (e.g. in the case of a security breach, what should the company do? What should individuals affected by the breach do?)

Some sources you might consider for information security news include:

• SearchSecurity.com (In the interests of full disclosure, I am a regular contributor to this website)
• Schneier on Security
• ComputerWorld Security News
  

Some examples of good current events postings from a course at the University of Washington include:

• Feature or Flaw?
• Goolag Scanner and Google Hacking
• Cold Temperatures Compromise Encryption Security
  

Acknowledgments

This idea is not original. The concept of building a security mindset through class participation in a blog community, including the use of security reviews and current events discussions comes from Professor Tadayoshi Kohno of the University of Washington's Computer Science and Engineering Department. He used this concept in a Computer Security course at UW and Bruce Schneier wrote about it in a blog posting entitled The Security Mindset.