KJhole.com
Web Sec Downloads

Part I: vulnerabilities and attacks

The first part of this lecture series analyzes vulnerabilities in several well-known computer systems and explains some common attacks.

Internet banking security. The two following lectures discuss how it was possible to exploit the authentication techniques used in Norwegian Internet banking systems during 2003 and 2004. The main goal is to show that today's Internet banking systems must use stronger authentication techniques.

• Internet banking 1 (in Norwegian)
• Internet banking 2 (in Norwegian)

ATM security. It is shown that it was possible to determine PINs associated with Norwegian ATM cards during the 90's.The lecture illustrates how important it is to evaluate a system's security on a regular basis.

• ATM systems

Vulnerabilities in e-governments. The lecture shows that e-government sites all over the world were vulnerable to web-based attacks (XSS and SQL injection) during 2005. The lecture confirms that security mistakes are often made during the implementation of applications.

• E-government vulnerabilities

DoS attacks. The lecture gives a comprehensive introduction to (D)DoS attacks.

• DoS

Electronic surveillance and identity theft. The lecture discusses electronic surveillance, considers the usefulness of CCTV systems, and explains why identity theft is a serious and growing problem.

• Electronic surveillance and identity theft
• Online identitiy theft in Norway (short extra lecture)

Database security. Cryptography in the database is discussed. A threat model is developed.

• Introduction to database security

Part II: PKI

The second part of the lecture series gives a comprehensive introduction to PKIs. In particular, it is shown how a PKI can be combined with the widely used SSL/TLS protocol.

• Authentication
• Public-key certificates
• Components and architectures
• Key and certificate management
• Certificate revocation
• Non-repudiation
• SSL and TLS
• SSL and Internet banking (extra lecture in Norwegian)

Part III: risk management

The third part contains an introduction to security risk management. Several large examples illustrate the most important steps in the risk management process. The examples consider both technical, judicial, and usability aspects of risk management. In particular, it is explained why the poor usability of SSL/TLS simplifies phishing attacks.

• Introduction to risk management
• Risk management of open networks
• WAP 2.0 security through the lens of Norwegian law
• Security and usability influence risk
• Vulnerabilities in the BankID authentication*
• Vulnerabilities in the BankID non-repudiation*
• Practical attacks on BankID* (extra lecture)

*: Analysis pertains to the 2007 version of BankID. Changes to the system were introduced after the analysis was completed.

Part IV: the SWAP framework

The final lectures develop and analyze the architecture of a framework for Secure Wireless Application Programming (SWAP), called the SWAP framework.

• Services, usability, and trust
• Framework architecture
• Framework analysis
• Risk management

top

Last updated 03.10.08. Webmaster KJH