This page is organized by the weeks of the quarter in which lectures were given. The weeks are in inverse order, on the assumption you will most often be looking for the most recent week.
This class will be taught by Peter Reiher. The textbook is Computer Security: Art and Science, by Matt Bishop. Assigned readings are from this book, unless otherwise indicated. Dr. Bishop has also published a second textbook that contains selected sections of this book, with a similar title. I can't guarantee that all material assigned will actually be in this other book, and it will definitely be at different pages if it's there at all.
I will be lecturing on these subjects during the class.
The TA for the course will be Joshua Joy -- (jjoy@CS.UCLA.EDU). The labs for this course will consist of 5 hands-on, practical and exploratory projects covering The labs for this course will consist of 5 hands-on, practical and exploratory projects covering security-related topics, plus a short introduction to the lab software. Office hour and discussion section information will be determined following the first recitation section and posted here.
Instructions for accessing the homework will be given out via email early in the second week of classes and will be discussed during the first recitation sections.
The midterm exam for CS 136 will be given on Monday, June 9, in our regular classroom, from 6:30-9:30 PM. It will be closed book, closed notes. The exam will be similar to the midterm, consisting of multiple choice and short answer questions, but it will be somewhat longer. The exam covers all material from the class, including all material on slides, lectured on, or in assigned reading materials, except for web links to readings that were explicitly accompanied by a note saying they would not be covered.
Here is a sample final exam. Some material on this sample final exam was not covered in this year's class, and thus would not appear on this year's final exam. Here are the answers to the sample final exam.
No readings assigned for this class.
Lecture 18. Securing Your System.
Lecture 17. Privacy.
No readings assigned for this class.
Lecture 16. Web Security.
Lecture 15. Evaluating System Security.
An Introduction to Information System Risk Management, Steve Elky, 2006.
Threat Modeling: A Process to Ensure Application Security, Steven Burns, 2005.
No new readings assigned for this lecture.
Lecture 14. Secure Programming, Continued.
Lecture 13. Secure Programming.
CERT's Top 10 Secure Coding Practices.
Apple's recommendations on avoiding buffer overflows.
Lecture 12. Malicious Software.
Textbook: Chapter 22 (pages 613-641)
Web links:
Here is an article on Stuxnet that combines a good description of what the worm actually does with discussion of its origins and purpose, specifically avoiding jumping to conclusions. The article is from 2010, so some information in it is outdated, but it gives a pretty good, moderately technical description of the worm in a reasonably brief form. You only need to read the article, not the comments by others that follow it.
If you want to get a deeper explanation of Stuxnet, here is a long, detailed report by Symantec. THIS REPORT IS OPTIONAL, AND NO MATERIAL FROM IT WILL APPEAR ON THE FINAL EXAM. The link is only provided so those with a deeper interest in this malware can obtain the best available technical information on it.
Lecture 11. Intrusion Detection.
Textbook: Chapter 25 (pages 723-767)
Web link (not required reading; not on the final exam):
SANS' frequently asked question page on intrusion detection contains links to a lot of useful information, without trying to sell you on a particular product.
Lecture 9. Network Security.
Textbook: Chapter 24. (Pages 689-719)
Lecture 10. Network Security, continued.
Textbook: Chapter 26 (pages 773-799)
Because I have fallen behind on the lectures, I am not posting a new lecture for Tuesday, April 29. Instead, I will give the lecture originally scheduled for Thursday, April 24, as shown below. Thus, there are also no new readings scheduled for Tuesday. On Thursday, May 1, the midterm will be held in class. It will be proctored by our TA, Joshua Joy, and I will not be there.
Lecture 7. Authentication.
Textbook: Chapter 12 (pages 309-335)
Web links:
A discussion on choosing secure passwords.
A short essay on the limits of using biometrics by Bruce Schneier. This essay is embedded in a longer newsletter. You need only read the section titled "Biometrics in Airports".
Lecture 8. Operating System Security.
Textbook: Chapter 17, Sections 17.1 - 17.2.2 (pages 439-446), introduction to Section 17.3 (pages 446-448), Section 17.3.3 (pages 467-470).
A white paper on full disk encryption.
Textbook: Chapter 10, sections 10.1, 10.3, 10.4, and 10.5 (pages 245-246, 252-266)
PDF version of Lecture 5. Cryptographic Keys.
Textbook: Chapter 10, section 10.2 (pages 246-252).
PDF version of Lecture 6. Security Protocols.
Here is a brief technical description of the Heartbleed vulnerability.
Here is a tool to test if a web site is susceptible to the Heartbleed attack.
Here is a link to Bruce Schneier's blog post on Heartbleed. It's a bit more alarmist than he usually is, in my opinion, but generally he's a highly respected authority on cyber security issues, and usually worth listening to.
PDF version of Lecture 3. Introduction to Cryptography.
Textbook: Introduction to Section IV and Chapter 9, sections 9.1-9.2.2.2 (pages 215-227).
Textbook: Chapter 2 (pages 31-44) and Chapter 15 (pages 381-396).
PDF version of Lecture 4. More on Cryptography.
Textbook: Chapter 9, sections 9.2.3-9.7 (pages 228-241)
Lecture 2. Security Design Principles, Policies, and Tools.
Textbook: Chapter 4, Sections 4.1-4.6 (pages 95-114)
Chapter 5, Sections 5.1-5.2.2 (pages 123-132)
Chapter 6, Sections 6.1-6.2 (pages 151-155)
Chapter 7, Section 7.1 (pages 169-177)
Lecture 1. Introduction.
Textbook: Chapter 1 (pages 1-25)
Web links:
Improving the Security of Networked Systems, Julia Allen, Christopher Alberts, Sandi Behrens, Barbara Laswell, and William Wilson.
Why Computers Are Insecure, Bruce Schneier. (The link leads to an entire web page on various security subjects. Read it all, if you want, but the assignment is only this essay, which is around a page and a half.)
Social Engineering Fundamentals, Part I: Hacker Tactics Sarah Granger.
The Stuxnet worm was discussed in class. This article talks about how it was analyzed and determined to be intended for taking control of certain kinds of facilities.