Assessing and Mitigating Risks in Computer Systems

The authors assess risks associated with the authentication service and discuss the non-repudiation service of BankID, a security infrastructure owned by the Norwegian banks.

[1]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[2]  Kjell Jørgen Hole,et al.  Lessons from the Norwegian ATM System , 2007, IEEE Security & Privacy.

[3]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[4]  Sverre H. Huseby Innocent Code: A Security Wake-Up Call for Web Programmers , 2004 .

[5]  Kristian Gjøsteen,et al.  Weaknesses in BankID, a PKI-Substitute Deployed by Norwegian Banks , 2008, EuroPKI.

[6]  David Thomas,et al.  Programming Ruby: the pragmatic programmer's guide , 2000 .

[7]  Lars-Helge Netland,et al.  Next Generation Internet Banking in Norway , 2008 .

[8]  K. C. White,et al.  IDs—Not that Easy: Questions About Nationwide Identity Systems , 2002 .

[9]  Bruce Schneier,et al.  Two-factor authentication: too little, too late , 2005, CACM.

[10]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[11]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[12]  James A. Whittaker Why Secure Applications are Difficult to Write , 2003, IEEE Secur. Priv..

[13]  Jianying Zhou Non-Repudiation in Electronic Commerce , 2002, DEXA Workshops.

[14]  R. Nigel Horspool,et al.  Cross-Platform Development: Software that Lasts , 2006, Computer.

[15]  Kjell Jørgen Hole,et al.  Robbing Banks with Their Own Software-an Exploit Against Norwegian Online Banks , 2008, SEC.

[16]  Mike Bond,et al.  Cryptographic Processors-A Survey , 2006, Proceedings of the IEEE.

[17]  K. Mughal,et al.  Simplifying Client-Server Application Development with Secure Reusable Components , 2006 .

[18]  Edward D. Lazowska,et al.  Cyber Security: A Crisis of Prioritization , 2005 .

[19]  Andrew S. Patrick,et al.  Building Trustworthy Software Agents , 2002, IEEE Internet Comput..

[20]  Lars-Helge Netland,et al.  A Reflection-Based Framework for Content Validation , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[21]  Gary McGraw,et al.  Knowledge for Software Security , 2005, IEEE Secur. Priv..

[22]  Edgar Weippl,et al.  Reusable components for developing security-aware applications , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[23]  Carlisle Adams,et al.  Understanding PKI: Concepts, Standards, and Deployment Considerations , 1999 .

[24]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[25]  Omer Berkman,et al.  The Unbearable Lightness of PIN Cracking , 2007, Financial Cryptography.

[26]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[27]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[28]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[29]  Chris Wysopal,et al.  Responsible Vulnerability Disclosure Process , 2002 .

[30]  Stephen Marsh,et al.  Trust, Untrust, Distrust and Mistrust - An Exploration of the Dark(er) Side , 2005, iTrust.

[31]  Kjell Jørgen Hole,et al.  Case study: online banking security , 2006, IEEE Security & Privacy.

[32]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[33]  John Viega,et al.  19 deadly sins of software security : programming flaws and how to fix them , 2005 .

[34]  Kenneth R. van Wyk,et al.  SECURE CODING PRINCIPLES & PRACTICES , 2003 .

[35]  M. Meek,et al.  IT risk management , 2014 .

[36]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[37]  Daniel E. Geer The Evolution of Security , 2007, ACM Queue.

[38]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[39]  Kjell Jørgen Hole,et al.  A Proof of Concept Attack against Norwegian Internet Banking Systems , 2008, Financial Cryptography.

[40]  Kjell Jørgen Hole,et al.  Open Wireless Networks on University Campuses , 2008, IEEE Security & Privacy.

[41]  James H. Cross,et al.  Reverse engineering and design recovery: a taxonomy , 1990, IEEE Software.

[42]  James A. Whittaker,et al.  How to Break Web Software: Functional and Security Testing of Web Applications and Web Services , 2006 .