In this lecture, Walter Belgers will look at some security flaws in locks to see how they came about. Then, he shows us how similar mistakes are made in software development and deployment. In both cases, we have to deal with design flaws, implementation errors, zero day attacks, brute force attacks, user errors and more. Real life examples will be given and demonstrated. There are some interesting differences in how security is looked at in the hardware and the software world. Both groups can certainly learn each other.
4. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• 20 years of lockpicking experience
• President of TOOOL,The Open Organisation of Lockpickers
• Fastest Dutch lockpicker ;-)
9. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Design - software
• Security often a small component in software and
hence, often an afterthought
• Functionality is more important than security
11. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Design - locks
• Locks are always there to provide security, so no
afterthought
• Lock manufacturers are good in specifying requirements
• Risks are pretty well understood (but not by all!)
• Locks are tested (e.g. for certification)
12. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Design - locks
• Secure against what?
• Key control (who can copy)
• Protection against destructive attacks
(drilling, pulling, breaking)
• Protection against non-destructive attacks (lockpicking,
pickgun, bumping, impressioning)
• Tight cost and space constraints
16. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
http://null-byte.wonderhowto.com/how-to/turn-innocent-dry-erase-marker-into-hotel-hacking-machine-0139534/
51. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security testing
• Let an experienced security consultant look at the security?
• Use automated vulnerability scanners?
• Certification?
55. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
•You can’t see how secure a piece of software is
•We can’t all be security experts
You get what you pay for
57. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
4’49.20 0’40.90 0’34.31 0’02.163’57.00
• With locks, you can see something
• But does it mean anything?
You get what you pay for