56 \begin{frame}[c] |
56 \begin{frame}[c] |
57 \frametitle{Case-In-Point: Android} |
57 \frametitle{Case-In-Point: Android} |
58 |
58 |
59 \begin{itemize} |
59 \begin{itemize} |
60 \item a list of common Android vulnerabilities |
60 \item a list of common Android vulnerabilities |
61 (5 BOAs out of 35 vulnerabilities) |
61 (5 BOAs out of 35 vulnerabilities; all from 2013 and later) |
62 |
62 |
63 \begin{center} |
63 \begin{center} |
64 \url{http://androidvulnerabilities.org/} |
64 \url{http://androidvulnerabilities.org/} |
65 \end{center}\bigskip |
65 \end{center}\bigskip |
66 |
66 |
67 \item a paper that measures security of Android phones |
67 \item a paper that attempts measures security of Android phones |
68 |
68 |
69 \begin{quote}\small\rm ``We find that on average 87.7\% of Android |
69 \begin{quote}\small\rm ``We find that on average 87.7\% of Android |
70 devices are exposed to at least one of 11 known critical |
70 devices are exposed to at least one of 11 known critical |
71 vulnerabilities\ldots'' |
71 vulnerabilities\ldots'' |
72 \end{quote} |
72 \end{quote} |
73 |
73 |
74 \begin{center}\small |
74 \begin{center}\small |
75 \url{https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf} |
75 \makebox[0mm] |
|
76 {\url{https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf}} |
76 \end{center} |
77 \end{center} |
77 \end{itemize} |
78 \end{itemize} |
78 |
79 |
79 \end{frame} |
80 \end{frame} |
80 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
81 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
81 |
82 |
82 |
83 |
83 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
84 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
84 \begin{frame}[c] |
85 \begin{frame}[c] |
85 |
86 |
|
87 A student asked: |
|
88 |
86 \begin{bubble}[10cm]\small How do we implement BOAs? On a |
89 \begin{bubble}[10cm]\small How do we implement BOAs? On a |
87 webpage login, for example Facebook, we can't do this. The |
90 webpage login, for example Facebook, we can't do this. |
|
91 I am sure the script will stop us even before we reach the |
|
92 server. The |
88 script will not let us enter hexadecimal numbers where email |
93 script will not let us enter hexadecimal numbers where email |
89 or username is required and plus it will have a max length, |
94 or username is required and plus it will have a max length, |
90 like 32 characters only. In this case, what can we do, since |
95 like 32 characters only. In this case, what can we do, since |
91 the method you showed us wouldn't work? |
96 the method you showed us wouldn't work? |
92 \end{bubble}\bigskip\bigskip\pause |
97 \end{bubble}\bigskip\bigskip\pause |
93 |
98 |
94 \begin{itemize} |
99 \begin{itemize} |
95 \item Facebook no |
100 \item Facebook no |
96 \item printers, routers, cars, IoT etc likely |
101 \item printers, routers, cars, IoT etc likely\pause |
97 \end{itemize} |
102 \item I do not want to teach you hacking, rather defending |
|
103 \end{itemize} |
|
104 |
98 |
105 |
99 |
106 |
100 \end{frame} |
107 \end{frame} |
101 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
108 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
102 |
109 |