User Tools

Site Tools


ci2010:team2_bruce_schneier

Bruce Schneier - Security Guru

Back to Main

Bruce Schneier is a well respected author and critic on topics of security. His primary research and writings are on the topic of cryptology, but he is considered a “guru” of security in general. Click Here for Bruce's full bio page.

Schneier's Blog - Here is Schneier's full blog (Seriously interesting and updated almost daily. If you have even the slightest interest in security, I would bookmark this one.)

Bruce Schneier's personal blog contains a myriad of articles pertaining to current security issues. Articles vary from internet security issues such as fraud and theft, to topics of airport security and other physical security issues (keys, safes, etc.)

Interesting Articles:

Perusing Schneier's blog, it will not take you long to find articles that relate directly to some of the things discussed in class, but for convenience, here are a few that I found particularly interesting.

"Man-in-the-Middle Attack against Chip and PIN"

Full Article

Researchers (Computer Scientists, in fact) from Cambridge University found a way to exploit credit cards. Their system allows them to use stolen credit cards without knowing the PIN! This article demonstrates the importance of researches actually BREAKING security protocols on purpose as if they were criminals themselves. These researchers did just that by recording the exploit on camera for all to see:

“…We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say “Verified by PIN.” The following video (exploit: 2:01 - 3:30) shows the exploit in action. You may notice that this version was done by BBC, and at some point they say something like “We obviously don't want to give out too much detail…” Well, maybe not on TV, but the effectiveness of this method for improving security (that is, hacking then publicizing the hack) requires full disclosure. So here it is, folks: the thesis paper entitled “Chip and PIN is Broken” published by the researchers from Cambridge themselves. Happy hacking!

Now read the following response to this article (as posted on Schneier's blog):

“Of course its been known for a long time that Chip and Pin does not provide any real security, and is all about shifting the liability onto the customers – but its nice to see these researchers demonstrate it so blatantly. When criminals can steal your money without even knowing the pin, surely the banks will be forced to acknowledge that its not secure and to accept back the liability that they would much rather foist off on their customers?”

If you didn't watch the whole video the first time, I recommend doing so. Take special notice of the answers interviewees offer to questions such as: Did the banks know of/suspect this attack already? Has this exploit already been used by criminals? Were the banks able to [and if so why didn't they] prevent this attack? What must the banks do now?

In short, banks/card issues may (although not necessarily) have realized that there is a gaping hole in swipe-card security, but the amount of money necessary to fix the problem could potentially be monstrous, and, if it's cheaper for them, banks may rather simply deal with a few people who have had large sums of money stolen due to this exploit than plug the hole. However, when researches purposefully break the system and then make the hack public, suddenly the banks are forced to fix the exploit, because the weak spot is no longer a secret known to few. The result? The world becomes just a little bit more secure.

ci2010/team2_bruce_schneier.txt · Last modified: 2010/02/27 15:11 by lstarret