\frametitle{\begin{tabular}{@ {}c@ {}}Security Engineers\end{tabular}}
According to Bruce Schneier, {\bf security engineers} require
a particular {\bf mindset}:\bigskip
``Security engineers --- at least the good ones --- see the world dif$\!$ferently.
They can't walk into a store without noticing how they might shoplift. They can't
use a computer without wondering about the security vulnerabilities. They can't
vote without trying to figure out how to vote twice. They just can't help it.''
\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN\end{tabular}}
\item Chip-and-PIN was introduced in the UK in 2004
\item before that customers had to sign a receipt\medskip
\item Is Chip-and-PIN a more secure system? What do you think?
\small\textcolor{gray}{(Some other countries still use the old method.)}
\frametitle{\begin{tabular}{@ {}c@ {}}Yes\ldots\end{tabular}}
``Chip-and-PIN is so effective in this country that fraudsters are starting to move their activities overseas,''
said Emile Abu-Shakra, spokesman for Lloyds TSB (in the Guardian, 2006).
\item mag-stripe cards cannot be cloned anymore
\item stolen or cloned cards need to be used abroad
\item fraud on lost, stolen and counterfeit credit cards was down \pounds{}60m (24\%) on 2004's figure
\frametitle{\begin{tabular}{c}Let's see\ldots\end{tabular}}
\small Bank
\small terminal\\[-2mm] \small producer
\small costumer / you
\item A ``tamperesitant'' terminal playing Tetris on
\item in 2006, Shell petrol stations stopped accepting Chip-and-PIN after \pounds{}1m had been stolen from customer accounts\smallskip
\item in 2008, hundreds of card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been
expertly tampered with shortly after manufacture so that details and PINs of credit cards were sent during the 9 months
before over mobile phone networks to criminals in Lahore, Pakistan
\frametitle{\begin{tabular}{c}Chip-and-PIN is Broken\end{tabular}}
\item man-in-the-middle attacks by the group around Ross Anderson\medskip
\footnotesize on BBC Newsnight\\[-2mm]
\footnotesize in 2010 or \textcolor{blue}{\href{http://www.youtube.com/watch?v=JPAX32lgkrw}{youtube}}
\frametitle{\begin{tabular}{@ {}c@ {}}Chip-and-PIN is Really Broken\end{tabular}}
\item same group successfully attacked this year card readers and ATM machines
\item the problem: several types of ATMs generate poor random numbers, which are used as nonces
\frametitle{\begin{tabular}{c}The Problem\ldots\end{tabular}}
\small Bank
\small terminal\\[-2mm] \small producer
\small costumer / you
\item the burden of proof for fraud and financial liability was shifted to the costumer
\end {itemize}
\frametitle{\begin{tabular}{c}Screwed Again\end{tabular}}
\item {\bf Responsibility}\\
``You understand that you are financially responsible for all uses of RBS Secure.''\\
\frametitle{\begin{tabular}{c}Web Applications\end{tabular}}
\small Servers from\\[-2mm]
\small Dot.com Inc.
\small Client
\item cookies: max 4KB data\\[-2mm]
\item cookie theft, cross-site scripting attacks\\[-2mm]
\item session cookies, persistent cookies, HttpOnly cookies, third-party cookies, zombie cookies
{\bf EU Privacy Directive about Cookies:}\smallskip\\
``In May 2011, a European Union law was passed stating that websites that leave non-essential cookies on visitors' devices have to alert the visitor and get acceptance from them. This law applies to both individuals and businesses based in the EU regardless of the nationality of their website's visitors or the location of their web host. It is not enough to simply update a website's terms and conditions or privacy policy. The deadline to comply with the new EU cookie law was 26th May 2012 and failure to do so could mean a fine of up to \pounds{}500,000.''
\frametitle{\begin{tabular}{c}My First Webapp\end{tabular}}
{\bf GET request:}\smallskip
\item read cookie from client
\item if none is present, set \texttt{visits} to \textcolor{blue}{$0$}
\item if cookie is present, extract \texttt{visits}
\item if \texttt{visits} is greater or equal \textcolor{blue}{$10$}, \\
print valued customer message\\
otherwise just normal message
\item increase \texttt{visits} by \textcolor{blue}{$1$} and store new cookie with client
\frametitle{\begin{tabular}{c}Brute Forcing Passwords\end{tabular}}
\item How fast can hackers crack SHA-1 passwords? \pause
\item The answer is 2 billion attempts per second\\
using a Radeon HD 7970
\begin{tabular}{@ {\hspace{-12mm}}rl}
password length & time\smallskip\\\hline
5 letters & 5 secs\\
6 letters & 500 secs\\
7 letters & 13 hours\\
8 letters & 57 days\\
9 letters & 15 years\\
5 letters $\approx$ 100$^5$ $=$ 10 billion combinations\\
(1 letter - upper case, lower case, digits, symbols $\approx$ 100)
\footnotesize graphics card\\[-1mm]
\footnotesize ca.~\pounds{}300
\item Scott McNealy: \\``You have zero privacy anyway. Get over it.''
\item How do recover from a break in?
\frametitle{\begin{tabular}{c}Thinking as a Defender\end{tabular}}
\item What are we trying to protect?
\item What properties are we trying to enforce?\medskip
\item Who are the attackers? Capabilities? Motivations?
\item What kind of attack are we trying to protect?
\item Who can fix any vulnerabilities?\medskip
\item What are the weaknesses of the system?
\item What will successful attacks cost us?
\item How likely are the attacks?\medskip
\item Security almost always is {\bf not} free!
\frametitle{\begin{tabular}{c}The Security Mindset\end{tabular}}
\item How things can go wrong.
\item Think outside the box.
The difference between a criminal is to only think about how things can go wrong.
