Sismat Workshops

From Hack Evergreen Wiki
Jump to: navigation, search

PLaintext paste btw, no formatting yet.

SISMAT 2012 Agenda

This page holds links, topics, exercises, and the schedule for SISMAT 2012. Please feel free to improve and augment it with links, notes, or information. Please do give attribution to other sources if you include them. Monday 18 June

Everybody arrives. Tuesday 19 June (Overview, Introduction)

   12:00 - 13:30 Welcome lunch / remarks (Sudi 213)
       Roundtable introduction
       Pre-test
       Papers Assigned
   13:30 - 13:45 Break
   13:45 - 14:00 Discussion
       Brief review of read-ahead materials: SISMAT Prep Material
       What do you want to see? Topics?
       Culture shock and shedding normal academic interaction
       Security Mailing Lists
   14:00 - 16:30 “Security”
       What is security? (and Wordle)
       No-tech hacking: http://www.youtube.com/watch?v=5CWrzVJYLWw
       Linux command line basics
       strace

Tonight

   make sure you have access to a Unix or Linux platform
   vmware player
   virtualbox
   xen
   QEMU

Readings

   Ethics
       http://www.dartmouth.edu/~reg/regulations/undergrad/acad-honor.html
       CACM Code of Ethics: http://www.acm.org/about/code-of-ethics

Wednesday 20 June (Ethics, System Basics, Shellcode)

   08:30 - 09:00 Breakfast (Sudi 213)
   09:00 - 10:30 Lecture 1 (Sudi 213) Ethics Discussion
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2 (Sudi 213) Intro to IA-32, ELF format, ELF toolchain (readelf, objdump)
   12:30 - 14:30 Lunch (2 hour break)
   14:30 - 16:00 Lab 1 (Sudi 002) IA-32 Assembly Programming with NASM / System Calls on Linux
   16:00 - 16:15 Break
   16:15 - 18:00 Lab 2 (Sudi 002) Shellcode Disassembly

Lab 1

Setup: see how gcc produces x86 assembly. Examine assembly. How can we write small amount of assembly code and directly assemble from that to a valid ELF binary? For task 2, where do we find syscall definitions? What is the system call calling convention on Linux?

   Task 1: Your task is to print out the distribution of instructions in glibc on your Linux machine.
   Task 2: Write a small assembly program to output “hello, world”
   Task 2b: (Optional) If you are ambitious, modify above program to read from a file or stdin and echo to stdout
   Task 3: (Optional) Modify your program to execve a shell

Lab 2

This lab further illustrates the system call calling conventions and how to spawn a shell via execve(2)

   Task 1: Hand-execute a piece of shellcode ( http://www.shell-storm.org/shellcode/files/shellcode-606.php )
   Task 2: Analyze the semantics of this shellcode (fix broken -p, patch xor ecx,ecx)
   Task 3: (Advanced: hand-execute a piece of polymorphic shellcode)

Goals / Outcomes

The purpose of these labs is to provide you with an introduction to low-level assembly programming and viewing the execution of programs from multiple layers of abstraction (source code, assembly code, ELF, system call API).

Things you should know after doing these labs:

   Difference between a system call and a library call
   How to invoke a system call in Linux at the assembly level
   Understand how a program is loaded and executed by the OS
   Understand the ELF concept and format
   Understand the tools available for static disassembly (ndisasm, udcli, objdump -d)
   Understand how individual instructions manipulate various parts of the process address space

Reading for Wed. Night

   http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
   AoE: pages 19 - 37
   AoE: pages 281 - 295
   http://www.phrack.org/issues.html?issue=59&id=5&mode=txt

Other References

   http://udis86.sourceforge.net/ (tool we can use for disassembly of byte sequences at the command line)
   http://www.phrack.com/issues.html?issue=56&id=9#article
   http://www.hick.org/code/skape/papers/needle.txt
   Intel Software Developers Manual, Volume 3A: System Programming Guide, Part 1 Sections 2.1, 2.2, 2.3, 2.4, 2.5 and 2.7
   http://www.unixwiz.net/techtips/win32-callconv-asm.html

Ethics Discussion

Ethical Considerations in Information Security

Notes Thursday 21 June (System Instrumentation)

   08:30 - 09:00 Breakfast (Sudi 213)
   09:00 - 10:30 Lecture 1 (Sudi 213) Hardware Support for Protection
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2 (Sudi 213) understanding ptrace(2) kernel implementation
   12:30 - 14:30 Lunch (2 hour break)
   14:30 - 16:00 Lab 1 (Sudi 002) Guest Lecture: Dickie George
   16:00 - 16:15 Break
   16:15 - 18:00 Lab 2 (Sudi 002) ptrace exercises

Lab 1

template code is here http://tsg.cpsc.ucalgary.ca/teaching/ptrace/

These links point to various places in the Linux kernel source code dealing with ptrace.

   The ptrace API: http://lxr.linux.no/#linux+v2.6.37/include/linux/ptrace.h (defines function prototypes for internal kernel service routines related to ptrace and “types” for ptrace requests)
   The platform-specific ptrace API: http://lxr.linux.no/#linux+v2.6.37/arch/x86/include/asm/ptrace.h
   The architecture-specific ABI: http://lxr.linux.no/#linux+v2.6.37/arch/x86/include/asm/ptrace-abi.h
   Definition of sys_ptrace system call function signature: http://lxr.linux.no/#linux+v2.6.37/include/linux/syscalls.h#L704
   enumeration of sys_ptrace in the system call list (number 26): http://lxr.linux.no/#linux+v2.6.37/arch/x86/kernel/syscall_table_32.S#L28
   Definition of Linux “task_struct”, the Process Control Block. Note particularly the location of ptrace-related flags and signal-related flags like 'ptrace', 'parent', 'real_parent', etc. http://lxr.linux.no/#linux+v2.6.37/include/linux/sched.h#L1182
   The “highest” layer of ptrace's implementation dealing with finding the process to trace and attaching: http://lxr.linux.no/#linux+v2.6.37/kernel/ptrace.c#L697 (note the use of the SYSCALL_DEFINE4 macro)
   See definition of the SYSCALL_DEFINE macros: http://lxr.linux.no/#linux+v2.6.37/include/linux/syscalls.h#L188
   The part of ptrace's implementation dealing with architecturally-specific requests: http://lxr.linux.no/#linux+v2.6.37/arch/x86/kernel/ptrace.c#L804

Resources

   Intel Developer Manual
       Section 6.1 (Interrupt and Exception Overview)
       Section 6.2 (Exception and Interrupt Vectors)
       Section 6.10 (Interrupt Descriptor Table (IDT))
       Section 6.11 IDT Descriptors
       Figure 2-1 (specifically, the IDTR+IDT use)
       Section 2.7 (System Instruction Summary)
       Table 2-2
   Links
       http://wiki.osdev.org/Interrupt_Descriptor_Table
       http://www.logix.cz/michal/doc/i386/chp09-00.htm
       http://ece.wpi.edu/~wrm/Courses/EE3803/Labs/roehrl.html
       http://wiki.osdev.org/GDT_Tutorial
       VDSO definition: http://kernelnewbies.org/KernelGlossary#V
       Linux-gate vdso insight: http://www.trilithium.com/johan/2005/08/linux-gate/
       SYSENTER/SYSEXIT trivia: http://lkml.org/lkml/2002/12/18/218

Friday 22 June (Debugging and Simple Vulnerabilities)

   08:30 - 09:00 Breakfast (Sudi 213)
   09:00 - 10:30 Lecture 1 (Sudi 213) Guest Lecture by Doug Madory, Renesys
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2 (Sudi 213) GDB basics, stack setup/activation record layout/calling conventions
   12:30 - 14:30 Lunch (2 hour break)
   14:30 - 15:00 Lecture 3: Studying Risk, Wreckage, and Errors
   15:00 - 16:00 Lab 1 (Sudi 002) libpng vuln analysis
   16:00 - 16:15 Break
   16:15 - 18:30 Lab 2 (Sudi 002) Inject small shellcode into target

Notes / References

   http://www.unixwiz.net/techtips/win32-callconv-asm.html

Lab 1

This lab is a guided exercise and walkthrough of this vulnerability and a PoC exploit.

   http://scary.beasts.org/security/CESA-2004-001.txt
   link to proof of concept PNG exploit: http://scary.beasts.org/misc/pngtest_bad.png
   http://www.kb.cert.org/vuls/id/388984
   http://www.libpng.org/pub/png/libpng.html

Your machine likely has a number of these in place already, and performing basic exploit research to understand the basic concepts (e.g., those presented in “Smashing the Stack for Fun and Profit” http://www.phrack.com/issues.html?issue=49&id=14&mode=txt ) requires you to turn them off to remove some complexity. This includes (but isn't limited to:

   compiling programs with fno-stack-protector
   turning off ASLR: as root, `echo 0 > /proc/sys/kernel/randomize_va_space'
   marking executables as needing executable data areas: `execstack -s a.out'

Lab 2

This lab is a joint class exercise to design the various pieces and then implement them.

   Write a small piece of standalone assembly code that executes a system call (do something interesting, like open, read, or write to a file, or fetch the process ID)
   store the resulting bytes in a file
   write a small, intentionally-vulnerable program that opens the “payload” file and reads in the bytes to a buffer on the program's stack; you should construct this buffer and the payload so that you overwrite the return address
   make sure to disable any protections and enable something else FIXME
   running your victim program on your payload should cause your “injected” shellcode to execute and achieve the goal of your shellcode

Lab 3 (option)

   “weaponize” the PoC libpng vulnerability

Lab 4 (option)

   Profile ASLR w/ assembly code

Saturday 23 June (Shellcode Injection cont.)

   noon - 1pm: prepare for shellcode injection exercise
   1 - 2pm: pizza
   2 - 5pm: shellcode injection lab
   5 - 6pm: movie

Sunday 24 June (Off) Monday 25 June (Introduction to Network Security)

   08:30 - 09:00 Breakfast (Sudi 213)
   09:00 - 10:30 Lecture 1 (Sudi 213) Participant paper presentations (4)
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2 (Sudi 213) Introduction to Web Security
   12:30 - 14:30 Lunch (2 hour break)
   14:30 - 16:00 Lab 1 (Sudi 002) Lecture: Introduction to networking (Sergey Bratus)
   16:00 - 16:15 Break
   16:15 - 18:00 Lab 2 (Sudi 002) Lab: Introduction to network (cont).

Notes

   http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html
   ICMP message types: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml
   on IDS evasion: http://www.stanford.edu/~stinson/paper_notes/nids/ptacek_newsham.txt
   http://www.insecure.org/stf/secnet_ids/secnet_ids.pdf
   on IDS evasion: http://www.icir.org/vern/papers/norm-usenix-sec-01.pdf
   (multiple traceroutes picture) http://tsg.cpsc.ucalgary.ca/research/cloud/pathlock.png
   on the legal and ethical issues involved in sniffing network traffic: http://www.imconf.net/imc-2007/papers/imc152.pdf
   VM-based Security Overkill: A Lament for Applied Systems Security Research. Sergey Bratus, Michael E. Locasto, Ashwin Ramaswamy, and Sean W. Smith. Proceedings of the 19th New Security Paradigms Workshop (NSPW 2010). September 2010. Concord, MA, USA.
   http://www.webmonkey.com/2012/06/error-451-this-page-has-been-burned/

Friday Night Reading

   TCSS, Chapter 12.1 “The Web and Security: Basic Structure”

Tuesday 26 June (Network Manipulation)

   08:30 - 09:00 Breakfast
   09:00 - 10:30 Lecture 1: Paper presentations
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture/Lab 1: networking utilities: nc, ifconfig, ping/icmp, tcpdump, traceroute
   12:30 - 14:30 Lunch (on own)
   14:30 - 16:30 Lab 2: packet construction
   16:30 - 16:45 Break
   16:45 - 17:45 Lab 3: Google Gruyere

Lab 1

Traceroute and tcpdump. Draw your network associations. Reproduce this kind of graph, using GraphViz, for your machine.

   http://tsg.cpsc.ucalgary.ca/research/cloud/graph.pdf

Lab 2

Packet construction.

The purpose of this lab is to gain experience with command-line packet crafting tools.

   Task 0: Warmup. Install sendip or dnet. I find dnet to be easier to use than sendip. Install netcat.
   Task 1: Pair up. Find out what your neighbor's IP address is. Verify that you can contact them. Examine your ARP table. Examine your routing table.
   Task 2: Stretch. Use the netcat tool to initiate a port scan of your partner's machine. Do not use nmap. Have your partner run tcpdump, filtering by packets from your machine, to observe the scan. What type of packets do you see? Does a full TCP handshake occur for each port?
   Task 3: Have your partner run netcat on a port of their choosing. Use dnet or sendip to craft a nice message to this netcat instance.
   Task 4: Using dnet or sendip only, convince your partner's machine that your machine has the gateway's IP and MAC address by crafting the appropriate ARP messages and sending them to the network. Challenge: use an existing tool like Graphviz to illustrate the evolution of your machine's ARP table.
   Task 5: Using tcpdump, observe only DHCP traffic on the network.
   Task 6: Inject DHCP offers into the network. You may wish to read the DHCP RFC
   Task 7: Hint: you may wish to read the DHCP RFC. You may also wish to peruse the DHCP RFC, after which you should refresh your knowledge of the DHCP RFC.

Lab 3

You can tackle these in any order.

   Task 1: Visit http://www.hack-test.com/ and get as far through it as possible.
   Task 2: Visit http://google-gruyere.appspot.com/ and work through these exercises.

Notes and Resources

   http://en.wikipedia.org/wiki/MacGuffin
   Google's Browser Security Handbook: http://code.google.com/p/browsersec/wiki/Main
   Platform for Privacy Preferences (P3P) http://www.w3.org/P3P/
   http://www.owasp.org/index.php/Top_10_2010-Main (list appears midway down page)
   HTTP Request/Response Modifiers
       https://addons.mozilla.org/en-US/firefox/addon/9727 (RequestPolicy)
       https://addons.mozilla.org/en-US/firefox/addon/967 (ModifyHeaders)
       OWASP WebScarab Project http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
   https://panopticlick.eff.org/
   http://googleonlinesecurity.blogspot.com/2010/05/do-know-evil-web-application.html
   reviewed web application architecture
   http://xkcd.com/327/
   http://www.w3.org/Protocols/rfc2616/rfc2616.html
   http://www.whattheinternetknowsaboutyou.com/
   OWASP Top Ten Web Security Issues for 2007
   OWASP Top Ten Web Security Issues for 2010
   OWASP Top Five PHP Security Issues
   http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
   PHP Prepared Statements and Stored Procedures
   http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
   http://www.phpbuilder.com/columns/ryan_mcgeehan20060627.php3?print_mode=1
   http://duartes.org/gustavo/articles/Hands-on-Sql-Injection.aspx (link is broken, see his blog)
   http://code.google.com/p/skipfish/wiki/SkipfishDoc (Web App Vulnerability Scanner)
   http://code.google.com/p/owaspbwa/ (OWASP “broken” web app examples)
   dnsspoof
   arpspoof
   dsniff
   fragrouter

Wednesday 27 June (Organizational Security, Intrusion Detection)

   08:30 - 09:00 Breakfast
   09:00 - 10:30 Lecture 1: Guest Lecture: Steve Nyman, CISO of Dartmouth PKCS
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2: Intrusion detection. Intrusion recovery scenario; libpcap, libvei
   12:30 - 14:30 Lunch (on own)
   14:30 - 16:30 Lab 1: Building an intrusion sensor. intrusion sensor engineering. Intrusion detection planning exercise
   16:30 - 16:45 Break
   16:45 - 17:45 Lab 2: finish presentations

Presentation Notes

   http://en.wikipedia.org/wiki/ISO/IEC_27002

Wed 27 Notes

   http://pages.cpsc.ucalgary.ca/~locasto/papers/boulders.pdf
   http://www.usenix.org/event/lisa09/tech/slides/locasto.pdf
   Verizon's Data Breach Report (2008)
   Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack
   Chronicle of a Server Break-In (see link to Paul's actual postmortem)
   Abe Singer. “Tempting Fate,” ;login:, Volumn 30, #1, Usenix Association, November 2005.
   Cliff Stoll. The Cuckoo's Egg
   IDS evasion
       http://www.symantec.com/connect/articles/ids-evasion-techniques-and-tactics
       http://www.symantec.com/connect/articles/evading-nids-revisited
       http://insecure.org/stf/secnet_ids/secnet_ids.html

Lab 1 / Team 1

Your task is to produce a set of valid x86 sequences that end in RET from the glibc (a ROP gadget toolkit).

Lab2 / Team GelatoR001Z

Your task to to build, as a large team, an intrusion sensor that reads network packets from the network and tries to disassemble them.

Programming Notes for Lab 1

   Locasto's libpcap tutorial: http://wiki.ucalgary.ca/page/Libpcap_tutorial
   programming systems sense
       if you are on public: http://www.cs.dartmouth.edu/~kelps/seans_notes/
       else, http://www.cs.dartmouth.edu/~cs58/lectures/oct20/index.shtml
   “Hints for Computer System Design”: http://research.microsoft.com/en-us/um/people/blampson/33-Hints/WebPage.html
   Concurrent programming help:
       http://www.cs.dartmouth.edu/~cs58/lectures/index.shtml
       https://computing.llnl.gov/tutorials/pthreads/

Thursday 28 June (Attacks and Bugs)

   08:30 - 09:00 Breakfast
   09:00 - 10:30 Lecture 1: Guest Lecture: Adam Goldstein (Dartmouth PKCS)
   10:30 - 11:00 Break
   11:00 - 12:30 Lecture 2: Guest Lecture: Richard Weiss “On the Attack Chain”
   11:30 - 13:30 Lunch (on own)
   13:30 - 14:00 Meet at 002
   14:00 - 14:30 SISMAT group photo
   14:30 - 16:00 Lab 1: Nessus lab (scan Apache)
   16:00 - 16:15 Break
   16:15 - 17:45 Lab 2: Polymorphic shellcode lab (see links below)
   17:45 - 18:45 Outwash and Ethics Discussion (wrap up)

Lab 1

Scanning for vulnerabilities.

Install Apache and Nessus. Scan.

Lab 2

Polymorphic shellcode.

What do these pieces of shellcode do? Hand-execute them to find out.

   http://tsg.cpsc.ucalgary.ca/teaching/polymorphic/

28 June Notes

Ethical Considerations in Information Security

Notes Friday 29 June (Capture the Flag / Packetwars)

   08:30 - 09:00 breakfast
   09:00 - 10:00 Introduction to Packetwars
   10:00 - 12:30 Session 1 PacketWars (plus video, photos)
   12:30 - 14:00 Lunch break (1 hour)
   14:00 - 16:30 Session 2 PacketWars
   16:30 - 17:00 post-CtF outwash (do we want to form an official SISMAT CtF team?)
   17:00 - 17:30 SISMAT 2012 Post test

29 June Notes

Today Bryan Fite will guide us in an all-day capture-the-flag style team competitive exercise called PacketWars. Take-Home Exercises

   digital footprint size experiment:
       how big is your digital footprint?
       how much entropy do your passwords have? (z-strings)
   bug diagnoses (find and analyze a bug in real software)
   beat up your OS: http://pages.cpsc.ucalgary.ca/~locasto/teaching/2012/CPSC457/hw2.txt

Paper Presentations

Pick a paper and prepare a 20 minute presentation on it pretending that you are the author defending the work and providing a summary of it. Prepare for 5..10 minutes of questions on the paper from other students and the instructors. Your presentations will take place next week. Paper Presenter Monday 1 2 Philip Monday 1 3 Dibyo Monday 1 4 Trey Monday 1 5 Evaristo Tuesday 1 7 Mike Tuesday 1 8 Corey Tuesday 1 9 Stefan Tuesday 1 11 Daniel Tuesday 1 13 Eman Tuesday 1 14 Wadha Wednesday 3 18 Michele Wednesday 3 10 Nathan Wednesday 3 17 Jordan

   Protection in an information processing utility
   A hardware architecture for implementing protection rings
   Protection in Operating Systems
   SecureSwitch: BIOS-Assisted Isolation and Switch between Trusted and Untrusted Commodity OSes
   Intrusion Recovery Using Selective Re-execution
   XFI: Software Guards for System Address Spaces
   "Transparent Runtime Defense Against Stack Smashing Attacks"
   "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks"
   "On the Effectiveness of Address Space Randomization"
   "Return Oriented Rootkits" by Hund, Holz, and Freiling
   "Building Diverse Computer Systems"
   "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks" or "Countering Code-Injection Attacks with Instruction-Set Randomization"
   "The Geometry of Innocent Flesh on the Bone"
   "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention"
   StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
   PointGuard(TM): Protecting Pointers From Buffer Overflow Vulnerabilities
   RIPE:Runtime Intrusion Prevention Evaluator
   Hit 'em Where it Hurts: A Live Security Exercise on Cyber Situational Awareness

News and Links

   https://www.trustedsec.com/july-2012/yahoo-voice-website-breached-400000-compromised/
   http://news.cnet.com/8301-1009_3-57470878-83/yahoo-breach-swiped-passwords-by-the-numbers/?tag=txt;title
   http://news.cnet.com/8301-1023_3-57469950-93/obama-signs-order-outlining-emergency-internet-control/?tag=postrtcol;mostPop
   http://news.cnet.com/8301-1009_3-57470786-83/hackers-post-450k-credentials-pilfered-from-yahoo/
   http://security.blogs.cnn.com/2012/07/04/homeland-security-cites-sharp-rise-in-cyber-attacks/?hpt=hp_t2
   Operation Shady Rat (as reported by The Register)
   Operation Shady Rat (the McAffee report)
   Random Number Generation (what has Intel been doing?)
   Ethics (plagiarism hurts everyone)
   Swatting Attack (ethics; using the digital to affect the real)
   Who Are Attackers After? (money)
   Govt "Fights" "Hackers" (two unrelated stories: Anonymous/Wikileaks arrests, and the arrest of Aaron Swartz for downloading JSTOR articles)
   Deep Packet Inspection (Canada Digital Freedom)
   The Windows Heap (Microsoft knows that the heap keeps on giving)
   Disguising Malware is Easy
   Frustrating Facial Analysis
   GRSecurity (these guys are awesome)
   Recurity (these guys are also awesome)
   Update on RSA Hack of 2011 (it is much worse than initially admitted, but this was an open secret…)
   http://dev.metasploit.com/redmine/projects/framework/repository/revisions/13225/entry/modules/post/windows/gather/memory_grep.rb
   ARP: http://sid.rstack.org/arp-sk/
   disclosure policy cite: http://www.huffingtonpost.com/2011/11/16/charlie-miller-apple-cybersecurity-bug-hacker_n_1095330.html
   Bugs stay unpatched http://www.neowin.net/news/windows-has-a-17-year-old-un-patched-vulnerability
   technical approaches to avoiding cross-border data examination (by the EFF) https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
   http://blogs.wsj.com/digits/2012/01/13/u-s-business-defenses-against-hackers-are-like-the-maginot-line-nsa-chief-says/
   usenet flamewar on “hackers”: https://groups.google.com/forum/?fromgroups#!topic/comp.security.unix/Q_eI2DUsiGQ
   http://blogs.computerworld.com/19073/dirty_little_secrets_revealed_by_ethical_hackers
   http://money.cnn.com/2012/03/05/technology/hacker_school/index.htm?source=cnn_bin
   http://www.cbc.ca/news/canada/british-columbia/story/2012/03/06/bc-stolen-ubc-computer-personal-info.html
   http://arstechnica.com/business/news/2012/03/porn-site-digital-playground-hacked-hackers-say-too-enticing-to-resist.ars
   Was AntiSec an FBI front? http://gizmodo.com/5893703/was-the-antisec-hacking-spree-an-fbi-front-all-along
   Cyber-bullying: http://arstechnica.com/tech-policy/news/2012/03/rutgers-cyberbully-found-guilty-of-privacy-invasion-hate-crimes.ars
   * http://t.co/oWyp9Msm
   * http://t.co/sgDWBW4c
   https://banu.com/blog/42/openbsd-bug-in-the-random-function/
   http://us.cnn.com/2012/04/03/tech/mobile/police-phone-tracking-gahran/index.html?hpt=hp_t3
   http://us.cnn.com/2012/04/05/world/europe/uk-sky-hacking/index.html?hpt=hp_t2
   Ethics: Stanford prison experiment http://www.prisonexp.org/
   Privacy/Ethics: Should we let children on Facebook: http://www.economist.com/node/21556578?fsrc=scn/tw/te/ar/letthenippersnetwork
   A Case Study of the Application of Dynamic Symbolic Execution to Real-World Binary Programs http://www.reddit.com/r/ReverseEngineering/comments/uqodq/a_case_study_of_the_application_of_dynamic/
   Free malware and security tools: http://www.foocodechu.com/?q=node/70
   Duqu Analysis: http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework
   Chris Evans on Browser security: http://scarybeastsecurity.blogspot.ca/2012/01/dirty-secret-of-browser-security-1.html
   The Problem With OAuth: http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
   Observations about Linux ASLR: http://scarybeastsecurity.blogspot.ca/2012/03/some-random-observations-on-linux-aslr.html
   VMWare Backdoor: http://www.securityfocus.com/archive/1/522141
   INFILTRATE presentations: http://www.immunityinc.com/presentations.shtml
   http://recon.cx/2012/training.html
   Recurity (Security Industry Research) http://recurity-labs.com/content/pub/papers.shtml
   mail list post: exploiting NULL dereferences: http://seclists.org/dailydave/2009/q4/23
   FLAME: http://www.wired.com/threatlevel/2012/05/flame/
   FLAME crypto breakthrough: http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/
   Connection btwn stuxnet and flame? http://www.securelist.com/en/blog/208193568/Back_to_Stuxnet_the_missing_link
   supply chain vulns (hardware backdoors) https://www.cl.cam.ac.uk/~sps32/sec_news.html#Assurance
   or not: http://erratasec.blogspot.ca/2012/05/bogus-story-no-chinese-backdoor-in.html
   cybersecurity demand growing: http://www.washingtonpost.com/business/economy/cybersecurity-experts-needed-to-meet-growing-demand/2012/05/29/gJQAtev1yU_story.html (demand grows, but does real actual need grow?)
   Security fail? in MySQL: http://seclists.org/oss-sec/2012/q2/493
   Mindset: http://www.schneier.com/blog/archives/2012/06/teaching_the_se.html
   Mindset: http://www.nukees.com/d/20070328.html
   Security Indicators: why cybersecurity experiments may be flawed: http://www.andrewpatrick.ca/essays/commentary-on-research-on-new-security-indicators
   Code is complex: http://www.laputan.org/mud/
   Concealing XSS injection in HTML5: http://samuli.hakoniemi.net/how-to-conceal-xss-injection-in-html5/
   See also: advanced topics in privacy: http://www.cs.indiana.edu/~kapadia/courses/I590-Fall-10/schedule.html
   Bellovin Network Security class: https://www.cs.columbia.edu/~smb/classes/f06/lectures.html
   Google Apps doesn't meet LAPD security requirements (how do you do that, anyway?) http://arstechnica.com/business/2011/10/google-apps-hasnt-met-lapds-security-requirements-city-demands-refund/
   You Selling Your Priavcy: http://us.cnn.com/2012/02/24/tech/web/owning-your-data-online/index.html?hpt=hp_t2
   Ethical Disclosure: OK to publish bird flu studies? http://thechart.blogs.cnn.com/2012/04/23/nih-ok-to-publish-controversial-bird-flu-studies/?hpt=hp_t2
   embedded device hacking: http://www.devttys0.com/blog/
   attacking linux kernel security: http://forums.grsecurity.net/viewtopic.php?f=7&t=2596
   disclosure and patch battle: https://igurublog.wordpress.com/2011/03/16/the-forbidden-subject/
   data integrity of backups and remote storage: http://www.daemonology.net/blog/2011-06-03-insecurity-in-the-jungle.html
   protected mode execution as an anti-debugging feature: http://j00ru.vexillium.org/?p=866
   It's OK to let students hack: http://geekout.blogs.cnn.com/2012/04/23/students-chow-down-on-cyber-security-weaknesses/?hpt=hp_bn10
   Information Security Audit class / case study: http://www.cs.uwp.edu/staff/lincke/infosec/
   MintChip audit anyone? http://developer.mintchipchallenge.com/devguide/index.php
   Sheila: a client-side honeypot: http://www.cs.vu.nl/~herbertb/misc/shelia/

Tools

   ERESI: http://www.eresi-project.org/ (reverse engineering)
   Google NaCL: Native Client http://code.google.com/p/nativeclient/
   TrustVisor: http://www.google.ca/search?q=trustvisor&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

Specific Vulnerabilities

   JPEG COM: http://www.openwall.com/articles/JPEG-COM-Marker-Vulnerability
   link to NULLHttpd: http://www.securityfocus.com/bid/5774/references
   NULLhttpd exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/nullhttpd.c
   ghttpd vuln: http://www.securityfocus.com/bid/2879/info
   ghttpd exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/ghttp.c
   MS06-001: http://technet.microsoft.com/en-us/security/bulletin/ms06-001 (WMF vulnerability)
   glibc: http://www.nodefense.org/eglibc.txt

Agenda

   pull student's network cable: what did you leave exposed?
   ethics: cell phone survillence
   exercise: decoy documents
   intro: what is security?
   beautiful security: TSA visualization, topics from confs.
   legality of drones
   digital sit ins ==? DDoS?
   http://donttrack.us/
   propaganda: http://www.google.com/green/
   coding exercise: write as many lines of code as you can in 5 minutes; must compile and run with no errors. language of your choice.
   http://networkconference.netstudies.org/2012/death-and-the-persistent-identity/
   http://www.theatlantic.com/technology/archive/2012/05/how-the-professor-who-fooled-wikipedia-got-caught-by-reddit/257134/
   http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/
   http://www.darkreading.com/vulnerability-management/167901026/security/antivirus/240000174/fbi-warns-travelers-using-hotel-networks-about-new-attack
   http://arstechnica.com/security/2012/06/printer-bomb-pandimonium/