Scholarships Tip & Trik Teknologi Islam Indonesia Twitter with J2ME
Showing posts with label Computer Security. Show all posts
Showing posts with label Computer Security. Show all posts

Friday, June 8, 2012

Handbook of Database Security Applications and Trends






Michael Gertz
University of California at Davis
USA
Sushil Jajodia
George Mason University
USA

Contents
1 Recent Advances in Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Sabrina De Capitani di Vimercati, Sara Foresti, and Pierangela Samarati
2 Access Control Models for XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Sabrina De Capitani di Vimercati, Sara Foresti, Stefano Paraboschi, and
Pierangela Samarati
3 Access Control Policy Languages in XML . . . . . . . . . . . . . . . . . . . . . . . 55
Naizhen Qi and Michiharu Kudo
4 Database Issues in Trust Management and Trust Negotiation . . . . . . . 73
Dongyi Li, William Winsborough, Marianne Winslett and Ragib Hasan
5 Authenticated Index Structures for Outsourced Databases . . . . . . . . . 115
Feifei Li, Marios Hadjileftheriou, George Kollios, and Leonid Reyzin
6 Towards Secure Data Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Radu Sion
7 Managing and Querying Encrypted Data . . . . . . . . . . . . . . . . . . . . . . . 163
Bijit Hore, Sharad Mehrotra, and Hakan Hacıg¨um¨us¸
8 Security in Data Warehouses and OLAP Systems . . . . . . . . . . . . . . . . . 191
Lingyu Wang and Sushil Jajodia
9 Security for Workflow Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Vijayalakshmi Atluri and Janice Warner
10 Secure Semantic Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Bhavani Thuraisingham
11 Geospatial Database Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Soon Ae Chun and Vijayalakshmi Atluri
12 Security Re-engineering for Databases: Concepts and Techniques . . . 267
Michael Gertz and Madhavi Gandhi
13 Database Watermarking for Copyright Protection . . . . . . . . . . . . . . . . 297
Radu Sion
14 Database Watermarking: A Systematic View . . . . . . . . . . . . . . . . . . . . 329
Yingjiu Li
15 Trustworthy Records Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Ragib Hasan, Marianne Winslett, Soumyadeb Mitra, Windsor Hsu, and
Radu Sion
16 Damage Quarantine and Recovery in Data Processing Systems . . . . . 383
Peng Liu, Sushil Jajodia, and Meng Yu
17 Hippocratic Databases: Current Capabilities and Future Trends . . . . 409
Tyrone Grandison, Christopher Johnson, and Jerry Kiernan
18 Privacy-Preserving Data Mining: A Survey . . . . . . . . . . . . . . . . . . . . . . 431
Charu C. Aggarwal and Philip S. Yu
19 Privacy in Database Publishing: A Bayesian Perspective . . . . . . . . . . . 461
Alin Deutsch
20 Privacy Preserving Publication: Anonymization Frameworks and
Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Yufei Tao
21 Privacy Protection through Anonymity in Location-based Services . . 509
Claudio Bettini, Sergio Mascetti, and X. Sean Wang
22 Privacy-enhanced Location-based Access Control . . . . . . . . . . . . . . . . 531
Claudio A. Ardagna, Marco Cremonini, Sabrina De Capitani di
Vimercati, and Pierangela Samarati
23 Efficiently Enforcing the Security and Privacy Policies in a Mobile
Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Vijayalakshmi Atluri and Heechang Shin
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

Other Database Books
Database Systems The Complete Book
Hacking Exposed Linux Linux Security Secrets & Solutions
Other Computer Security Books
Database security - Wikipedia, the free encyclopedia
Database Security
Download
No comments:
Labels: ,

Thursday, July 14, 2011

Java 2 Network Security






Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
The Team That Wrote This Redbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Comments Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Part 1. Introduction to Java and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1. An Overview of Java and Security . . . . . . . . . . . . . . . . . . . . 3
1.1 Java Is Not Just a Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 What Java Does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Java Is Not an Island: Java as a Part of Security . . . . . . . . . . . . . . . . . 5
1.3.1 Safety and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.2 Java as an Aid to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.3 Java as a Threat to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.4 Writing Secure Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.3.5 Staying One Jump Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.6 The Vigilant Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4 Understanding Java 2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4.1 An Example of Applet Security in Java 2 . . . . . . . . . . . . . . . . . . 14
1.4.2 An Example of Application Security in Java 2 . . . . . . . . . . . . . . . 26
1.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 2. Attack and Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.1 Components of Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.1.1 The Development Environment. . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.1.2 The Execution Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.1.3 Interfaces and Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.2 Java 2 and Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.2.1 Cryptographic Tools in Brief . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.2.2 Java Cryptography Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.2.3 United States Export Rules for Encryption . . . . . . . . . . . . . . . . . 57
2.2.4 Signed Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.2.5 The Other Side of the Coin – Access Control . . . . . . . . . . . . . . . 59
2.3 Attacking the World of Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.3.1 Perils in the Life of Remote Code . . . . . . . . . . . . . . . . . . . . . . . . 59
2.3.2 Vulnerabilities in Java Applications . . . . . . . . . . . . . . . . . . . . . . . 66
2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Chapter 3. The New Java Security Model . . . . . . . . . . . . . . . . . . . . . . . 69
3.1 The Need for Java Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.2 Evolution of the Java Security Model . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.2.1 The JDK 1.0 Sandbox Security Model . . . . . . . . . . . . . . . . . . . . 70
3.2.2 The Concept of Trusted Code in JDK 1.1 . . . . . . . . . . . . . . . . . . 72
3.2.3 The Fine-Grained Access Control of Java 2 . . . . . . . . . . . . . . . . 74
3.2.4 A Comparison of the Three Java Security Models . . . . . . . . . . . 78
3.3 Java 2 Protection Domain and Permissions Model . . . . . . . . . . . . . . . 80
3.4 New Class Search Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
3.4.1 Boot Class Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
3.4.2 Extensions Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.4.3 Application Class Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3.4.4 Class Search Paths in Summary . . . . . . . . . . . . . . . . . . . . . . . . 89
3.5 Java 2 Class Loading Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
3.5.1 Run-Time Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.6 The Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.6.1 The Default System-Wide Policy File . . . . . . . . . . . . . . . . . . . . . 96
3.7 Security Manager vs Access Controller . . . . . . . . . . . . . . . . . . . . . . . 98
3.8 Security Management with Java 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.8.1 Applying a Security Manager to Applets and Applications. . . . . . 99
3.8.2 Applying a User-Defined Security Policy. . . . . . . . . . . . . . . . . . . 99
3.8.3 Java Security Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
3.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Part 2. Under the Hood. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Chapter 4. The Java Virtual Machine. . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.1 The Java Virtual Machine, Close Up. . . . . . . . . . . . . . . . . . . . . . . . . 109
4.1.1 The Class Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
4.1.2 The Class File Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.3 The Heap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.4 The Class Area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.5 The Native Method Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.1.6 The Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.1.7 The Execution Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.1.8 Just-in-Time Compilers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Chapter 5. Class Files in Java 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
5.1 The Traditional Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . 117
5.2 The Java Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.3 The Java 2 Class File Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
5.3.1 Decompilation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
5.4 The Constant Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
5.4.1 Beating the Decompilation Threat. . . . . . . . . . . . . . . . . . . . . . . 134
5.5 Java Bytecode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
5.5.1 A Bytecode Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Chapter 6. The Class Loader and Class File Verifier . . . . . . . . . . . . . 145
6.1 Class Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.1.1 Loading Classes from Trusted Sources . . . . . . . . . . . . . . . . . . 146
6.1.2 Loading Classes from Untrusted Sources . . . . . . . . . . . . . . . . . 147
6.1.3 Beyond What the JVM Provides . . . . . . . . . . . . . . . . . . . . . . . . 148
6.1.4 The Class Loading Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
6.1.5 Should You Build Your Own Class Loader . . . . . . . . . . . . . . . . 155
6.2 The Class File Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
6.2.1 An Example of Class File Verification . . . . . . . . . . . . . . . . . . . . 169
6.2.2 The Duties of the Class File Verifier . . . . . . . . . . . . . . . . . . . . . 175
6.2.3 The Four Passes of the Class File Verifier. . . . . . . . . . . . . . . . 176
6.3 The Bytecode Verifier in Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.3.1 The Data Flow Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.4 An Incompleteness Theorem for Bytecode Verifiers . . . . . . . . . . . . . 183
6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Chapter 7. The Java 2 SecurityManager . . . . . . . . . . . . . . . . . . . . . . . 187
7.1 What SecurityManager Does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.2 Operation of the Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 190
7.2.1 Interdependence of the Three JVM Security Elements . . . . . . . 192
7.3 Attacking the Defenses of Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
7.3.1 Types of Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.3.2 Malicious Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
7.4 Avoiding Security Hazards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
7.4.1 How to Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
7.5 Examples of Security Manager Extensions . . . . . . . . . . . . . . . . . . . . 206
7.5.1 First Example – Overriding checkWrite(). . . . . . . . . . . . . . . . . . 206
7.5.2 Second Example – Overriding checkPermission(). . . . . . . . . . . 211
7.5.3 Third Example – Overriding checkRead() and checkWrite() . . . 218
7.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Chapter 8. Security Configuration Files in the Java 2 SDK . . . . . . . . 225
8.1 A Note on java.home and the JRE Installation Directory. . . . . . . . . . 225
8.2 Keystores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
8.2.1 The Certificates KeyStore File cacerts . . . . . . . . . . . . . . . . . . . 233
8.3 The Security Properties File, java.security . . . . . . . . . . . . . . . . . . . . 234
8.4 Security Policy Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
8.4.1 keystore Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
8.4.2 grant Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
8.5 An Example of Security Settings in the Java 2 Platform . . . . . . . . . . 248
8.5.1 The Count Application Source Code . . . . . . . . . . . . . . . . . . . . . 248
8.5.2 A Sample Text File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
8.5.3 Compiling the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
8.5.4 Running the Application without a Security Manager . . . . . . . . 250
8.5.5 Running the Application with the Default Security Manager . . . 250
8.5.6 Policy File Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
8.6 File Read Access to Files in the Code Base URL Directory . . . . . . . 252
8.7 Security Properties and Policy File Protection . . . . . . . . . . . . . . . . . 252
8.8 How to Implement a Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Chapter 9. Java 2 SDK Security Tools. . . . . . . . . . . . . . . . . . . . . . . . . 259
9.1 Key and Certificate Management Tool . . . . . . . . . . . . . . . . . . . . . . . 259
9.1.1 keytool Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
9.1.2 Store and Private Key Password . . . . . . . . . . . . . . . . . . . . . . . 261
9.1.3 Commands and Options Associated with keytool . . . . . . . . . . . 262
9.1.4 An Example of keytool Usage . . . . . . . . . . . . . . . . . . . . . . . . . . 269
9.2 Java Archive Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
9.2.1 Options of the jar Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
9.2.2 Running a JAR File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
9.3 JAR Signing and Verification Tool . . . . . . . . . . . . . . . . . . . . . . . . . . 275
9.3.1 jarsigner Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
9.3.2 Observations on the jarsigner Verification Process . . . . . . . . . . 284
9.3.3 Tampering with a Signed JAR File . . . . . . . . . . . . . . . . . . . . . . 286
9.4 Policy File Creation and Management Tool . . . . . . . . . . . . . . . . . . . 288
9.4.1 Observations on the Use of the Policy Tool . . . . . . . . . . . . . . . 295
Chapter 10. Security APIs in Java 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 297
10.1 The Package java.security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
10.1.1 Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
10.1.2 Guard Interface and GuardedObject Class . . . . . . . . . . . . . . . 298
10.1.3 Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
10.1.4 The Security Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
10.1.5 Access Control APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
10.1.6 Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
10.1.7 Message Digests and DIgital Signatures. . . . . . . . . . . . . . . . . 311
10.1.8 Secure Random Number Generation . . . . . . . . . . . . . . . . . . . 316
10.1.9 The SignedObject Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
10.1.10 Permission APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
10.1.11 Code Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
10.1.12 Protection Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
10.1.13 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
10.1.14 Secure Class Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
10.1.15 Algorithm Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
10.2 The Package java.security.spec . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
10.3 The Package java.security.cert. . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
10.4 Package java.security.interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 324
10.5 The Package java.security.acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
10.6 Examples Using the Java 2 Security APIs . . . . . . . . . . . . . . . . . . . 325
10.6.1 Signature and Signature Verification. . . . . . . . . . . . . . . . . . . . 325
10.6.2 Using Keystores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
10.7 The Permission Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
10.7.1 How to Create New Permissions. . . . . . . . . . . . . . . . . . . . . . . 344
10.7.2 Working with Signed Permissions . . . . . . . . . . . . . . . . . . . . . . 348
10.8 How to Write Privileged Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
10.8.1 First Case – No Return Value, No Exception Thrown . . . . . . . 351
10.8.2 Second Case – Return Value, No Exception Thrown . . . . . . . 352
10.8.3 Third Case – Return Value, Exception Thrown . . . . . . . . . . . . 353
10.8.4 Accessing Local Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
10.8.5 An Example of Privileged Blocks Usage . . . . . . . . . . . . . . . . . 354
10.8.6 General Recommendations on Using the Privileged Blocks . . 358
Chapter 11. The Java Plug-In. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
11.1 Main Features of Java Plug-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
11.2 What Does the Java Plug-In Do? . . . . . . . . . . . . . . . . . . . . . . . . . . 364
11.3 Java Plug-In HTML Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
11.3.1 Changes Supported by Navigator . . . . . . . . . . . . . . . . . . . . . . 364
11.3.2 Changes Supported by Internet Explorer . . . . . . . . . . . . . . . . 365
11.3.3 Changes Supported by Both Navigator and Internet Explorer . 366
11.3.4 All the Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
11.3.5 Java Plug-in Software HTML Converter . . . . . . . . . . . . . . . . . 369
11.4 Java Plug-In Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
11.4.1 The Basic Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
11.4.2 The Advanced Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
11.4.3 The Proxies Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
11.5 Java Plug-In Security Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
11.5.1 First Step – Without Using the Java Plug-in . . . . . . . . . . . . . . 374
11.5.2 Second Step – Using the Java Plug-in . . . . . . . . . . . . . . . . . . 377
Chapter 12. Java Gets Out of Its Box . . . . . . . . . . . . . . . . . . . . . . . . . 385
12.1 JAR Files and Applet Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
12.1.1 Manifest File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
12.1.2 Signature File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
12.1.3 Signature Block File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
12.2 Signed Code Scenario in JDK 1.1 and Sun HotJava. . . . . . . . . . . . 393
12.2.1 Creating the CA Key Database . . . . . . . . . . . . . . . . . . . . . . . . 393
12.2.2 Creating the Server Key Database . . . . . . . . . . . . . . . . . . . . . 395
12.2.3 Creating and Signing a JAR File . . . . . . . . . . . . . . . . . . . . . . . 397
12.2.4 Running the Applet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
12.2.5 Creating the Client Key Database . . . . . . . . . . . . . . . . . . . . . . 399
12.3 Signed Code Scenario in Java 2 SDK, Standard Edition, V1.2 . . . . 400
12.3.1 Creating a Keystore for Certification Authorities . . . . . . . . . . . 401
12.3.2 Creating the Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . 402
12.3.3 Creating and Signing a JAR file . . . . . . . . . . . . . . . . . . . . . . . 406
12.3.4 Granting the Permissions and Running the Applet . . . . . . . . . 407
12.4 Signed Code Scenario in Netscape Communicator. . . . . . . . . . . . . 409
12.4.1 Using the netscape.security Package . . . . . . . . . . . . . . . . . . . 410
12.4.2 Installing Keys and Certificates in Netscape Communicator . . 415
12.4.3 Signing JAR Files with Netscape Signing Tool . . . . . . . . . . . . 418
12.5 Signed Code Scenario in Microsoft Internet Explorer . . . . . . . . . . . 437
12.5.1 First Example with Signed CAB Files . . . . . . . . . . . . . . . . . . . 438
12.5.2 A More Complex Signed CAB File Example . . . . . . . . . . . . . . 450
12.6 The JAR Bug – Fixed In Java 2 SDK, Standard Edition, V1.2.1 . . . 461
12.6.1 The Solution in Java 2 SDK, Standard Edition, V1.2.1 . . . . . . 470
12.7 Future Developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Part 3. Beyond the Island of Java – Surfing into the Unknown . . . . . . . . . . . . . . . . . 473
Chapter 13. Cryptography in Java 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 475
13.1 Security Questions, Cryptographic Answers . . . . . . . . . . . . . . . . . . 475
13.1.1 Public Key Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
13.2 The Java Cryptography Architecture Framework . . . . . . . . . . . . . . 480
13.2.1 JCE and United States Export Considerations . . . . . . . . . . . . 481
13.2.2 Relationship between Java 2 SDK, JCA and JCE APIs. . . . . . 482
13.3 JCA Terms and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
13.3.1 The Provider Concept in the JCA . . . . . . . . . . . . . . . . . . . . . . 485
13.3.2 Engine Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
13.3.3 Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
13.4 Java Cryptography Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
13.4.1 JCE – Packages and Their Contents . . . . . . . . . . . . . . . . . . . 493
13.4.2 The Cipher Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
13.4.3 The Cipher Stream Classes . . . . . . . . . . . . . . . . . . . . . . . . . . 495
13.4.4 Secret Key Interfaces and Classes . . . . . . . . . . . . . . . . . . . . . 495
13.4.5 The KeyGenerator Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
13.4.6 The KeyAgreement Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
13.4.7 The SealedObject Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
13.5 Java Cryptography in Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
13.5.1 First Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
13.5.2 Second Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
13.6 Asymmetric Encryption with the Java 2 SDK and JCE 1.2 . . . . . . . 497
13.6.1 Using Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 497
13.7 How to Implement Your Own Provider . . . . . . . . . . . . . . . . . . . . . . 497
13.7.1 Write the Service Implementation Code . . . . . . . . . . . . . . . . . 498
13.7.2 Give the Provider a Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
13.7.3 Write a Master Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
13.7.4 Compile the Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
13.7.5 Install and Configure the Provider. . . . . . . . . . . . . . . . . . . . . . 498
13.7.6 Test if the Provider Is Ready . . . . . . . . . . . . . . . . . . . . . . . . . 498
13.7.7 Algorithm Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
13.7.8 Dependencies on Other Algorithms . . . . . . . . . . . . . . . . . . . . 499
13.7.9 Default Initializations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
13.7.10 A Sample Master Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Chapter 14. Enterprise Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
14.1 Browser Add-On Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
14.2 Networked Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
14.2.1 Applying the Java 2 Access Control Mechanisms . . . . . . . . . . 502
14.2.2 Two-Tier Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
14.2.3 Three-Tier Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
14.2.4 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
14.3 Secure Clients and Network Computers . . . . . . . . . . . . . . . . . . . . . 509
14.4 Server-Side Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
14.4.1 The Cost of Server-Side Java . . . . . . . . . . . . . . . . . . . . . . . . . 511
14.5 Servlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
14.5.1 Advantages of Servlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
14.5.2 Servlets and CGI-BINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
14.5.3 Java Servlet APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
14.5.4 Servlet Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
14.5.5 IBM WebSphere Application Server . . . . . . . . . . . . . . . . . . . . 520
14.5.6 A Sample Servlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
14.5.7 The Current Servlet Security Model . . . . . . . . . . . . . . . . . . . . 530
14.6 Distributed Object Architectures – RMI . . . . . . . . . . . . . . . . . . . . . . 537
14.6.1 Stubs and Skeletons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
14.6.2 RMI Registry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
14.6.3 A Sample RMI Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
14.6.4 The Security of RMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
14.7 Enterprise JavaBeans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Chapter 15. Java and Firewalls – In and Out of the Net . . . . . . . . . . . 557
15.1 What Is a Firewall?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
15.2 What Does a Firewall Do? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
15.2.1 Inside a TCP/IP Packet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
15.2.2 How Can Programs Communicate through a Firewall? . . . . . . 561
15.3 Detailed Example of TCP/IP Protocol . . . . . . . . . . . . . . . . . . . . . . . 562
15.3.1 DNS Flow (UDP Example) . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
15.3.2 HTTP Flow (TCP Example). . . . . . . . . . . . . . . . . . . . . . . . . . . 564
15.4 Proxy Servers and SOCKS Gateways . . . . . . . . . . . . . . . . . . . . . . 570
15.4.1 Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
15.4.2 What Is SOCKS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
15.4.3 Using Proxy Servers or SOCKS Gateways . . . . . . . . . . . . . . . 574
15.5 The Effect of Firewalls on Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
15.5.1 Downloading an Applet Using HTTP . . . . . . . . . . . . . . . . . . . . 575
15.5.2 Stopping Java Downloads with a Firewall . . . . . . . . . . . . . . . . 575
15.5.3 Java Network Connections through the Firewall . . . . . . . . . . . 578
15.6 Java and Firewall Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
15.6.1 URL Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
15.6.2 Socket Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
15.6.3 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
15.7 Remote Method Invocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
15.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Chapter 16. Java and SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
16.1 What Is SSL? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
16.2 Using SSL from an Applet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
16.2.1 Using SSL URLs with Java . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
16.3 Java and SSL with Sun Microsystems . . . . . . . . . . . . . . . . . . . . . . 609
16.3.1 The javax.net Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
16.3.2 The javax.net.ssl Package . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
16.3.3 The javax.security.cert Package . . . . . . . . . . . . . . . . . . . . . . . 612
16.4 How to Use Java and SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
16.4.1 Skeleton Program without SSL . . . . . . . . . . . . . . . . . . . . . . . . 614
16.4.2 Using SSL with the Sun Microsystems API . . . . . . . . . . . . . . . 623
16.5 Java and SSL with IBM SSLite . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
16.5.1 Extensions to the SSL Protocol . . . . . . . . . . . . . . . . . . . . . . . 627
16.5.2 SSLite Key Ring Management Tools. . . . . . . . . . . . . . . . . . . . 627
16.5.3 SSL Server Authentication with IBM SSLite for Java. . . . . . . . 631
16.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
16.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Chapter 17. Epilogue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
17.1 Future Directions of Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
17.1.1 Java 2 SDK – The Path Ahead . . . . . . . . . . . . . . . . . . . . . . . . 635
17.1.2 Resource Consumption Management . . . . . . . . . . . . . . . . . . . 636
17.1.3 Java Authentication and Authorization Service . . . . . . . . . . . . 636
17.1.4 Java RMI Security Extension . . . . . . . . . . . . . . . . . . . . . . . . . 637
17.1.5 Arbitrary Grouping of Permissions . . . . . . . . . . . . . . . . . . . . . 637
17.1.6 Object-Level Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
17.1.7 Subdividing Protection Domains . . . . . . . . . . . . . . . . . . . . . . . 638
17.1.8 Running Applets with Signed Content . . . . . . . . . . . . . . . . . . . 638
17.1.9 Java 2 Platform, Enterprise Edition. . . . . . . . . . . . . . . . . . . . . 639
17.2 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Appendix A. Getting Internal System Properties . . . . . . . . . . . . . . . . . 641
A.1 Program GetAllProperties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
A.2 Program GetProperty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Appendix B. Signature Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Appendix C. X.509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
C.1 X.509 Certificate Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Appendix D. Sources of Information about Java Security . . . . . . . . . 651
D.1 Companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
D.1.1 JavaSoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
D.1.2 Sun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
D.1.3 IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
D.1.4 Microsoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
D.1.5 Reliable Software Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
D.1.6 JavaWorld. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
D.1.7 JCE Providers outside the United States . . . . . . . . . . . . . . . . . . . . 654
D.2 Universities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
D.2.1 Princeton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
D.2.2 Yale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
D.2.3 Others. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
Appendix E. What’s on the Diskette? . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
E.1 How to Access the Diskette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
E.2 How to Get the Same Software Material from the Web . . . . . . . . . . . . . 657
Appendix F. Special Notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
Appendix G. Related Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
G.1 International Technical Support Organization Publications . . . . . . . . . . 663
G.2 Redbooks on CD-ROMs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
G.3 Other Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
How to Get ITSO Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
IBM Redbook Fax Order Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
ITSO Redbook Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679

Another Computer Security Books
Another Java Books
Another Network Books
Download
No comments:
Labels: , ,

Saturday, June 25, 2011

Security Fundamentals for E-Commerce






Contents
Preface xix
What is covered in this book xix
Is security an obstacle to e-commerce development? xx
Why I wrote this book xxi
Some disclaimers xxi
How to read this book xxi
Acknowledgements xxii
Part 1
Information Security 1
1 Introduction to Security 3
1.1 Security Threats 3
1.2 Risk Management 4
1.3 Security Services 5
1.4 Security Mechanisms 6
2 Security Mechanisms 11
2.1 Data Integrity Mechanisms 11
2.1.1 Cryptographic Hash Functions 12
2.1.2 Message Authentication Code 14
2.2 Encryption Mechanisms 15
2.2.1 Symmetric Mechanisms 15
2.2.2 Public Key Mechanisms 24
2.3 Digital Signature Mechanisms 36
2.3.1 RSA Digital Signature 37
2.3.2 Digital Signature Algorithm 38
2.3.3 Elliptic Curve Analog of DSA 40
2.3.4 Public Key Management 41
2.4 Access Control Mechanisms 41
2.4.1 Identity-Based Access Control 42
2.4.2 Rule-Based Access Control 43
2.5 Authentication Exchange Mechanisms 43
2.5.1 Zero-Knowledge Protocols 44
2.5.2 Guillou-Quisquater 44
2.6 Traffic Padding Mechanisms 45
2.7 Message Freshness 46
2.8 Random Numbers 47
3 Key Management and Certificates 51
3.1 Key Exchange Protocols 51
3.1.1 Diffie-Hellman 52
3.1.2 Elliptic Curve Analog of Diffie-Hellman 53
6.2 Payer Anonymity 88
6.2.1 Pseudonyms 88
6.3 Payment Transaction Untraceability 90
6.3.1 Randomized Hashsum in iKP 90
6.3.2 Randomized Hashsum in SET 90
6.4 Confidentiality of Payment Transaction Data 91
6.4.1 Pseudorandom Function 91
6.4.2 Dual Signature 93
6.5 Nonrepudiation of Payment Transaction Messages 95
6.5.1 Digital Sig
7.1 Payment Transaction Untraceability 101
7.1.1 Blind Signature 102
7.1.2 Exchanging Coins 102
7.2 Protection Against Double Spending 103
7.2.1 Conditional Anonymity by Cut-and-Choose 103
7.2.2 Blind Signature 104
7.2.3 Exchanging Coins 104
7.2.4 Guardian 105
7.3 Protection Against of Forging of Coins 110
7.3.1 Expensive-to-Produce Coins 110
7.4 Protection Against Stealing of Coins 111
7.4.1 Customized Coins 111
8 Electronic Check Security 119
8.1 Payment Authorization Transfer 119
8.1.1 Proxies 120
9 An Electronic Payment Framework 125
9.1 Internet Open Trading Protocol (IOTP) 125
9.2 Security Issues 127
9.3 An Example With Digital Signatures 128
Part 3
Communication Security 133
10 Communication Network 135
10.1 Introduction 135
10.2 The OSI Reference Model 136
10.3 The Internet Model 138
10.4 Networking Technologies 141
10.5 Security at Different Layers 143
10.5.1 Protocol Selection Criteria 145
10.6 Malicious Programs 146
10.6.1 The Internet Worm 147
10.6.2 Macros and Executable Content 149
10.7 Communication Security Issues 149
10.7.1 Security Threats 150
10.7.2 Security Negotiation 153
10.7.3 TCP/IP Support Protocols 154
10.7.4 Vulnerabilities and Flaws 154
10.8 Firewalls 157
10.9 Virtual Private Networks (VPN) 158
11 Network Access Layer Security 161
11.1 Introduction 161
11.2 Asynchronous Transfer Mode (ATM) 162
11.2.1 ATM Security Services 164
11.2.2 Multicast Security 169
11.2.3 ATM Security Message Exchange 169
11.2.4 ATM VPN 169
11.3 Point-to-Point Protocol (PPP) 170
11.3.1 Password Authentication Protocol (PAP) 173
11.3.2 Challenge-Handshake Authentication Protocol
(CHAP) 174
11.3.3 Extensible Authentication Protocol (EAP) 176
11.3.4 Encryption Control Protocol (ECP) 179
11.4 Layer Two Tunneling Protocol (L2TP) 179
12 Internet Layer Security 185
12.1 Introduction 185
12.2 Packet Filters 186
12.2.1 Filtering Based on IP Addresses 186
12.2.2 Filtering Based on IP Addresses and Port Numbers 188
12.2.3 Problems With TCP 191
12.2.4 Network Address Translation (NAT) 195
12.3 IP Security (IPsec) 196
12.3.1 Security Association 197
12.3.2 The Internet Key Exchange (IKE) 199
12.3.3 IP Security Mechanisms 204
12.4 Domain Name Service (DNS) Security 210
12.5 Network-Based Intrusion Detection 210
12.5.1 Network Intrusion Detection Model 212
12.5.2 Intrusion Detection Methods 213
12.5.3 Attack Signatures 215
13 Transport Layer Security 221
13.1 Introduction 221
13.2 TCP Wrapper 222
13.3 Circuit Gateways 223
13.3.1 SOCKS Version 5 223
13.4 Transport Layer Security (TLS) 225
13.4.1 TLS Record Protocol 226
13.4.2 TLS Handshake Protocol 227
13.5 Simple Authentication and Security Layer (SASL) 232
13.5.1 An Example: LDAPv3 With SASL 233
13.6 Internet Security Association and Key Management
Protocol (ISAKMP) 235
13.6.1 Domain of Interpretation (DOI) 235
13.6.2 ISAKMP Negotiations 236
14 Application Layer Security 243
14.1 Introduction 243
14.2 Application Gateways and Content Filters 244
14.3 Access Control and Authorization 245
14.4 Operating System Security 246
14.5 Host-Based Intrusion Detection 249
14.5.1 Audit Records 249
14.5.2 Types of Intruders 249
14.5.3 Statistical Intrusion Detection 250
14.6 Security-Enhanced Internet Applications 251
14.7 Security Testing 251
Part 4
Web Security 255
15 The Hypertext Transfer Protocol 257
15.1 Introduction 257
15.2 Hypertext Transfer Protocol (HTTP) 258
15.2.1 HTTP Messages 260
15.2.2 Headers Leaking Sensitive Information 262
15.2.3 HTTP Cache Security Issues 263
15.2.4 HTTP Client Authentication 264
15.2.5 SSL Tunneling 267
15.3 Web Transaction Security 268
15.3.1 S-HTTP 270
16 Web Server Security 273
16.1 Common Gateway Interface 274h
16.2 Servlets 276
16.3 Anonymous Web Publishing: Rewebber 277
16.4 Database Security 277
16.5 Copyright Protection 280

Another Computer Security Books
Another eCommerce Books
Download
No comments:
Labels: ,

Thursday, June 9, 2011

Windows Server 2008 Security






Contents at a Glance
Part I Windows Security Fundamentals
1 Subjects, Users, and Other Actors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
2 Authenticators and Authentication Protocols. . . . . . . . . . . . . . . . . . . . . 17
3 Objects: The Stuff You Want. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4 Understanding User Account Control (UAC) . . . . . . . . . . . . . . . . . . . . . . 91
5 Firewall and Network Access Protection . . . . . . . . . . . . . . . . . . . . . . . . 115
6 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
7 Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
8 Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Part II Implementing Identity and Access (IDA) Control
Using Active Directory
9 Designing Active Directory Domain Services for Security. . . . . . . . . . 241
10 Implementing Active Directory Certificate Services. . . . . . . . . . . . . . . 265
Part III Common Security Scenarios
11 Securing Server Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
12 Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
13 Securing the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
14 Securing the Branch Office. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
15 Small Business Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
16 Securing Server Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .http://www.blogger.com/img/blank.gif . http://www.blogger.com/img/blank.gif. . . . . . . . . . . . . . . . . . . . 463
http://www.blogger.com/img/blank.gif

Another Computer Security Books
Another Network Books
Another Windows Books
Download
No comments:
Labels: , ,

Monday, May 30, 2011

PKI Implementing and Managing E-Security






Contents
Foreword xv
About the Authors xvii
About the Reviewers xix
Preface xxi
Chapter 1 Introduction 1
Security Trends 2
Electronic Commerce and Security Today 3
Security Services 3
Public Key Infrastructure 6
Applications 7
Audience 7
About this Book 8
About the Authors 10
Chapter 2 Introduction to Cryptography 11
My Mom 11
Is Cryptography Really Needed? 12
Cryptography 15
Cryptographic Algorithms 15
Cryptology and Cryptanalysis 16
Security by Obscurity 17
Cryptography 101 18
The Characters 19
Symmetric Cryptography 21
Pick a Number, Any Number 21
Symmetric Cryptography Recap 28
Asymmetric Cryptography 29
Public and Private Keys 31
The Benefits and Drawbacks of Asymmetric Cryptography 34
Asymmetric Cryptography Recap 35
The Best of Both Worlds 35
Hashes 39
Digital Signatures 41
Digital Certificates 45
Non-Repudiation 49
Congratulations! 50
Cryptography Recap 50
Securing Web Transactions 51
Why Isn’t Cryptography Pervasive Yet? 56
Standards-Based, Interoperable Solutions 57
Getting Burned 57
Migration 59
The Test 60
Reference 61
Chapter 3 Public Key Infrastructure Basics 63
Public Key Infrastructure Basics 63
Why Isn’t Public Key Cryptography Enough? 64
The Need for Trusted Identities 66
Certification Authorities 68
What Is a Digital Certificate? 70
Application Use of Certificates 77
Why Do You Need a Public Key Infrastructure? 79
User Authentication 80
Public Key Infrastructure Components 83
Key and Certificate Life Cycle Management 88
The Role of Authorization 89
Summary 93
References 94
Chapter 4 PKI Services and Implementation 95
Key and Certificate Life Cycle Management 95
Certificate Issuance 96
How Long Will that Key Last? 103
Certificate Revocation 106
Certificate Validation 108
Certification Paths 109
Types of Keys 115
Certificate Distribution 118
Fundamental Requirements 121
Protection of Private Keys 122
Deploying PKI Services 128
Public Certification Authority Services 129
In-House Enterprise Certification Authorities 132
Outsourced Enterprise CAs 133
How Do You Decide? 135
Summary 136
References 137
Chapter 5 Key and Certificate Life Cycles 139
Non-Repudiation and Key Management 139
Key Management 141
Key Generation 141
Key Stores 144
Key Transport 145
Key Archival 147
Key Recovery 150
Certificate Management 155
Certificate Registration 156
End-Entity Certificate Renewal 163
CA Certificate Renewal 163
Certificate Revocation 165
Summary 178
Chapter 6 A PKI Architecture—The PKIX Model 179
Public Key Infrastructure Architecture 179
The PKIX Model 179
PKIX Architecture 181
PKIX Functions 183
PKIX Specifications 186
PKI Entities 188
Registration Authority 188
Certification Authority 190
Repository 191
PKIX Management Protocols 191
CMP 192
CMC 197
Non-PKIX Management Protocols 200
SCEP 200
PKIX Certificate Validation Protocols 202
OCSP 203
SCVP 205
OCSP-X 207
Summary 208
References 208
Chapter 7 Application Use of PKI 211
PKI-Based Services 211
Digital Signature 211
Authentication 212
Timestamp 213
Secure Notary Service 213
Non-Repudiation 214
PKI-Based Protocols 216
Diffie-Hellman Key Exchange 217
Secure Sockets Layer 219
IPsec 223
S/MIME 228
Time Stamp Protocol
WTLS
Formatting Standards
X.509
PKIX
IEEE P1363
PKCS
XML
Application Programming Interfaces
Microsoft CryptoAPI
Common Data Security Architecture
Generic Security Service API 238
Lightweight Directory Access Protocol 238
Application and PKI Implementations 239
Signed Data Application 240
Summary 241
Chapter 8 Trust Models 243
What Is a Trust Model? 243
Trust 244
Trust Domains 245
Trust Anchors 246
Trust Relationships 247
General Hierarchical Organizations 249
Trust Models 251
Subordinated Hierarchical Models 251
Peer-to-Peer Models 256
Mesh Models 260
Hybrid Trust Models 268
Who Manages Trust? 273
User Control 273
Local Trust Lists 276
Managed Trust 278
Certificate Policy 280
Constrained Trust Models 281
Path Length 281
Certificate Policies 282
Path Construction and Validation 286
Path Construction 287
Path Validation 289
Implementations 290
Identrus Trust Model 290
ISO Banking Trust Model 292
Bridge CA 294
Summary 296
References 296
Chapter 9 Authentication and PKI 299
Who Are You? 299
Authentication 299
Authentication and PKI 301
Secrets 302
Passwords 302
Passwords in the Clear 302
Something Derived from Passwords 304
Adding a Little Randomness 306
Password Update 311
Here Come the Problems 312
The Costs of Passwords 315
Passwords Recap 316
Passwords and PKI 316
Moore’s Law Has Got Us! 318
Work to Strengthen Passwords 319
Authentication Tokens 320
2-Factor Authentication 321
Types of Authentication Tokens 322
PIN Management 331
Authentication Token Recap 334
Authentication Tokens and PKI 334
Smart Cards 337
Smart Card Construction 337
Talking to a Smart Card 339
Smart Card Classifications 341
Non-Crypto Cards 342
Crypto Cards 343
When Are Smart Cards Not Smart Cards? 345
Applications on a Smart Card 346
Smart Card Operating Systems 347
Smart Card Tamper Resistance 348
Structural Tamper Resistance 351
Smart Card Recap 354
Smart Cards and PKI 355
Biometric Authentication 359
How Biometrics Work 359
Biometric Data 360
Registration 361
FAR/FRR 362
The Biometric Design Center 362
Issues with Biometrics 364
Coverage 364
Agent-Side Spoofing 365
Server-Side Attacks 367
Social Issues 368
Cross-System Replay 369
Revocation 370
Recommendations 371
The Holy Grail: Biometrics and PKI 372
Biometric Recap 373
Wrapping Up Authentication 374
Chapter 10 Deployment and Operation 377
PKI Planning 377
Business Drivers 378
Applications Planning 380
Architecture Planning 381
User Impact 384
Support and Administration 386
Infrastructure Impact 387
Certificate Content Planning 389
Database Integration 391
Legal and Policy Considerations 393
Trust Models 397
Deployment Considerations 403
Operational Considerations 405
Summary 407
Chapter 11 PKI and Return on Investment 409
Total Cost of Ownership: The “I” in ROI 410
Products/Technologies 411
Plant (Facilities) 413
People 413
Process 413
Total Cost of Ownership: Summary 414
Financial Returns: The “R” in ROI 414
Business Process 416
Metrics 421
Revenues 421
Costs 423
Compliance 427
Risks 428
Financial Returns: Summary 430
PKI ROI: Summary 431
References 433
Appendix A X.509 Certificates 435
Appendix B Solution to the Test 461
Appendix C Privilege Management Infrastructure 469
Glossary 487
Index 497


Another Computer Security Books
Download
No comments:
Labels:

Monday, May 23, 2011

Guide to Information Technology Security Services






Table of Contents
1. Introduction ......................................................................................................................1-1
1.1 Authority...................................................................................................................1-1
1.2 Purpose....................................................................................................................1-1
1.3 Limitations................................................................................................................1-2
1.4 Intended Audience ...................................................................................................1-2
1.5 Document Organization ...........................................................................................1-2
2. Roles and Responsibilities .............................................................................................2-1
2.1 Chief Information Officer ..........................................................................................2-1
2.2 Contracting Officer ...................................................................................................2-1
2.3 Contracting Officer’s Technical Representative .......................................................2-1
2.4 IT Investment Board (or equivalent).........................................................................2-1
2.5 IT Security Program Manager..................................................................................2-1
2.6 IT System Security Officer .......................................................................................2-1
2.7 Program Manager (Owner Of Data)/Acquisition Initiator .........................................2-2
2.8 Privacy Officer..........................................................................................................2-2
2.9 Other Participants ....................................................................................................2-2
3. IT Security Services .........................................................................................................3-1
3.1 Overview of IT Security Services .............................................................................3-1
3.2 Overview of IT Security Service Arrangements .......................................................3-1
3.3 Overview Of IT Security Services Management Tools.............................................3-2
3.4 Overview of IT Security Services Issues..................................................................3-2
3.5 General Considerations for IT Security Services .....................................................3-3
3.6 Organizational Conflict of Interest............................................................................3-5
4. IT Security Services Life Cycle .......................................................................................4-1
4.1 Phase 1: Initiation ...................................................................................................4-2
4.2 Phase 2: Assessment .............................................................................................4-3
4.2.1 Baseline Existing Environment .....................................................................4-4
4.2.2 Analyze Opportunities and Barriers..............................................................4-6
4.2.3 Identify Options and Risks............................................................................4-7
4.3 Phase 3: Solution....................................................................................................4-8
4.3.1 Develop the Business Case .........................................................................4-9
4.3.2 Develop the Service Arrangement ...............................................................4-9
4.3.3 Develop the Implementation Plan ..............................................................4-10
4.4 Phase 4: Implementation ......................................................................................4-10
4.4.1 Identify Service Provider and Develop Service Agreement........................4-11
4.4.2 Finalize and Execute the Implementation Plan ..........................................4-13
4.4.3 Manage Expectations.................................................................................4-13
4.5 Phase 5: Operations ..............................................................................................4-13
4.5.1 Monitor Service Provider Performance ......................................................4-14
4.5.2 Monitor and Measure Organization Performance.......................................4-14
4.5.3 Evaluate and Evolve...................................................................................4-15
4.6 Phase 6: Closeout.................................................................................................4-15
4.6.1 Select Appropriate Exit Strategy ................................................................4-16
4.6.2 Implement Appropriate Exit Strategy..........................................................4-16
Types of Services.............................................................................................................5-1
5.
5.1 Management Security Services ...............................................................................5-2
5.1.1 IT Security Program Development ...............................................................5-2
5.1.2 IT Security Policy..........................................................................................5-3
5.1.3 Risk Management ........................................................................................5-4
5.1.4 IT Security Architecture ................................................................................5-4
5.1.5 Certification and Accreditation......................................................................5-4
5.1.6 IT Security Product Evaluation .....................................................................5-5
5.2 Operational Security Services..................................................................................5-6
5.2.1 Contingency Planning ..................................................................................5-6
5.2.2 Incident Handling..........................................................................................5-7
5.2.3 Testing..........................................................................................................5-8
5.2.4 Training ........................................................................................................5-9
5.3 Technical Security Services...................................................................................5-11
5.3.1 Firewalls .....................................................................................................5-11
5.3.2 Intrusion Detection .....................................................................................5-11
5.3.3 Public Key Infrastructure ............................................................................5-12
Appendix A— REFERENCES ................................................................................................. A-1
Appendix B— ACRONYM LIST .............................................................................................. B-1
Appendix C— SERVICE AGREEMENT OUTLINE ................................................................ C–1
Appendix D— SAMPLE ACQUISITION LANGUAGE ........................................................... D–1
Appendix E— FREQUENTLY ASKED QUESTIONS............................................................. E–1


Another Computer Security Books
Another Information System Books
Download
No comments:
Labels: ,

Monday, May 9, 2011

Information Security Management, Education and Privacy






Contents
Preface ix
10th IFIP WG 11.1 Annual Working Conference on Information
Security Management Program Committees xi
IFIP TC11 WG 11.8 – Information Security Education Workshiop
Program Committees xii
I-NetSec04 3rd Working Conference on Privacy and Anonymity in
Networked and Distributed Systems Program Committees xiii
PART ONE: 10th IFIP WG 11.1 Annual Working Conference
on Information Security Management
Corporate Information Security Education: Is Outcomes Based
Education the Solution?
J.V. NIEKERK, R.V. SOLMS 3
Towards Corporate Information Security Obedience
K.L. THOMSONA AND R. VON SOLMS 19
CIIP-RAM - A Security Risk Analysis Methodology for Critical
Information Infrastructure Protection
T.B. BUSUTTIL, M.J. WARREN 33
A Framework For Role-based Monitoring of Insider Misuse
51
A.H. PHYO, S.M. FURNELL, F. PORTILLA
Update/Patch Management Systems: A Protocol Taxonomy with
Security Implications
67
A. COLARIK, C. THOMBORSON, L. JANCZEWSKI
Investigating a Smart Technology
81
K. O’SULLIVAN, K. NEVILLE, C. HEAVIN
PART TWO: IFIP TC11 WG 11.8 – Information
Security Education Workshop
Laboratory Support for Information Security Education
101
N. MILOSLAVSKAIA, A. TOLSTOI, D. USHAKOV
An Holistic Approach to an International Doctoral Program
117
L. YNGSTRÖM
A New Paradigm for Information Security Education at
Doctoral Level
N. JAYARATNA 133
Highly Qualified Information Security Personnel Training
in Russia
141
V. GORBATOV, A. MALUK, N MILOSLAVSKAYA, A. TOLSTOY
Doctor of Philosophy: IT Security
J. SLAY 147
Doctoral Programme on Information and Communication Systems
Security at the University of the Aegean
S. KATSIKAS 153
An International Security Perspective
159
G. QUIRCHMAYR
Do Military Forces Need Ph.D.s?
R. DODGE 165
A Doctoral Program with Specialization in Information Security:
A High Assurance Constructive Security Approach
C. IRVINE, T. LEVIN 173
PART THREE: I-NetSec04 3rd Working Conference on
Privacy and Anonymity in Networked
and Distributed Systems
A Security Model for Anonymous Credential Systems
A. PASHALIDIS, C.J. MITCHELL 183
Private Information Storage with Logarithm-Space Secure Hardware
A. ILIEV, S. SMITH 201
Taxonomy of Mixes and Dummy Traffic
C. DIAZ, B. PRENEEL 217
Identity Management for Self-Portrayal
T. BAIER, C.P. KUNZE 233
Privacy Preserving Online Reputation Systems
M. VOSS 249
A Risk Driven Approach to Designing Privacy Enhanced Secure
E.V. HERREWEGHEN 265
Privacy Invasive Software in File-Sharing Tools
A. JACOBSSON, M. BOLDT, B. CARLSSON 281
Infusing Privacy Norms in DRM – Incentives and Perspectives
A. CAMERON 297


Another Computer Security Books
Download
No comments:
Labels:

How to Cheat at Managing Information Security






Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Chapter 1 The Security Organization . . . . . . . . . . . . . . . 1
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Where to Put the Security Team . . . . . . . . . . . . . . . . . . .2
Where Should Security Sit?
Below the IT Director Report . . . . . . . . . . . . . . . . . . . .3
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Where Should Security Sit? Below the Head of Audit . . .5
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Where Should Security Sit? Below the CEO, CTO, or CFO 6
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Your Mission—If You Choose to Accept It . . . . . . . . . . . . . .7
Role of the Security Function: What’s in a Job? . . . . . . . . . . .7
Incident Management and Investigations . . . . . . . . . . . . .8
Legal and Regulatory Considerations . . . . . . . . . . . . . . . .9
Policy, Standards, and Baselines Development . . . . . . . . .10
Business Consultancy . . . . . . . . . . . . . . . . . . . . . . . . . .10
Architecture and Research . . . . . . . . . . . . . . . . . . . . . . .11
Assessments and Audits . . . . . . . . . . . . . . . . . . . . . . . . .11
Operational Security . . . . . . . . . . . . . . . . . . . . . . . . . . .12
The Hybrid Security Team: Back to Organizational Studies 12
Making Friends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
The Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Legal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Help Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
System Development . . . . . . . . . . . . . . . . . . . . . . . .16
Tech Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
What Makes a Good CISO? . . . . . . . . . . . . . . . . . . . . . . . .17
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Chapter 2 The Information Security Policy . . . . . . . . . . 19
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Policy, Strategy, and Standards: Business Theory . . . . . . . . . .21
Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Tactics and Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Operations: Standards and Procedures . . . . . . . . . . . . . . .24
Back to Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
The Security Strategy and the Security Planning Process . . .25
Security Organization . . . . . . . . . . . . . . . . . . . . . . . .28
Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Security Policy Revisited . . . . . . . . . . . . . . . . . . . . . . . . . .30
Policy Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
What Do I Need to Set a Policy On? . . . . . . . . . . . .33
Template,Toolkit, or Bespoke? . . . . . . . . . . . . . . . . . .34
So Why Haven’t I Just Told You How to Write a Good
Information Security Policy? . . . . . . . . . . . . . . . . . . .35
Security Standards Revisited . . . . . . . . . . . . . . . . . . . . . . . .36
Compliance and Enforcement . . . . . . . . . . . . . . . . . . . . . . .37
Information Security Awareness:The Carrot . . . . . . . . . .38
Active Enforcement:The Stick . . . . . . . . . . . . . . . . . . . .40
Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . .40
Automated Audit Compliance . . . . . . . . . . . . . . . . . .40
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Chapter 3 Jargon, Principles, and Concepts . . . . . . . . . 49
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
CIA: Confidentiality, Integrity, and Availability . . . . . . . . . . .51
Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Nonrepudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
When Is CIA Used? . . . . . . . . . . . . . . . . . . . . . . . . .54
The Vulnerability Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Types of Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Protective Control . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Detective Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Recovery Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Administrative Control . . . . . . . . . . . . . . . . . . . . . . . . .58
Segregation of Duties . . . . . . . . . . . . . . . . . . . . . . . .58
Job Rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Types of Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . .59
Quantitative Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Qualitative Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
How It Really Works: Strengths and Weaknesses . . . . . . .61
So What Now? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Types of Authentication . . . . . . . . . . . . . . . . . . . . . .64
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
AAA in Real Life . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Other Concepts You Need to Know . . . . . . . . . . . . . . . . . .66
Least Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Defense in Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Failure Stance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Security through Obscurity . . . . . . . . . . . . . . . . . . . . . .67
Generic Types of Attack . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Network Enumeration and Discovery . . . . . . . . . . . . . .67
Message Interception . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Message Injection/Address Spoofing . . . . . . . . . . . . . . .68
Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Message Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Brute-Force Attacks on Authenticated Services . . . . . . . .69
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Chapter 4 Information Security Laws and Regulations 71
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
U.K. Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Computer Misuse Act 1990 . . . . . . . . . . . . . . . . . . . . . .73
How Does This Law Affect a Security Officer? . . . . .75
The Data Protection Act 1998 . . . . . . . . . . . . . . . . . . .75
How Does This Law Affect a Security Officer? . . . . .76
Other U.K. Acts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
The Human Rights Act 1998 . . . . . . . . . . . . . . . . . .77
The Regulation of Investigatory Powers Act 2000 . . .78
The Telecommunications (Lawful Business Practice)
(Interception of Communications) Regulations 2000 79
The Freedom of Information Act 2000 . . . . . . . . . .80
Audit Investigation and
Community Enterprise Act 2005 . . . . . . . . . . . . . . . .80
Official Secrets Act . . . . . . . . . . . . . . . . . . . . . . . . . .80
U.S. Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
California SB 1386 . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Sarbanes-Oxley 2002 . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Section 201 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Section 302 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Section 404 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Gramm-Leach-Bliley Act (GLBA) . . . . . . . . . . . . . . . . .84
Health Insurance Portability
and Accountability Act (HIPAA) . . . . . . . . . . . . . . . . . .85
USA Patriot Act 2001 . . . . . . . . . . . . . . . . . . . . . . . . .85
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Chapter 5 Information Security Standards and Audits. 87
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
BS 7799 and ISO 17799 . . . . . . . . . . . . . . . . . . . . . . . .89
A Canned History of BS 7799 . . . . . . . . . . . . . . . . .90
History of BS 7799, Part 2 . . . . . . . . . . . . . . . . . . . .92
PDCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
ISO/IEC 27001:2005: What Now for BS 7799? . . . . . . . . .98
PAS 56 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
What Is PAS 56? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
The Stages of the BCM Life Cycle . . . . . . . . . . . . . . .100
Stage 1: Initiate the BCM Project . . . . . . . . . . . . . .100
Stage 2: Understand the Business . . . . . . . . . . . . . . .100
Stage 3: Define BCM Strategies . . . . . . . . . . . . . . . .100
Stage 4: Produce a BCM Plan . . . . . . . . . . . . . . . . .101
Stage 5: Instill a BCM Culture . . . . . . . . . . . . . . . .101
Stage 6: Practice, Maintain, and Audit . . . . . . . . . . .101
FIPS 140-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Should I Bother with FIPS 140-2? . . . . . . . . . . . . . . . .102
What Are the Levels? . . . . . . . . . . . . . . . . . . . . . . . . . .102
Common Criteria Certification . . . . . . . . . . . . . . . . . . . . .103
Other CC Jargon . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
The Security Target . . . . . . . . . . . . . . . . . . . . . . . .103
Protection Profile . . . . . . . . . . . . . . . . . . . . . . . . .103
Evaluation Assurance Level . . . . . . . . . . . . . . . . . . .103
Types of Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Computer Audit as Part of the Financial Audit . . . . . . .104
Section 39 Banking Audit . . . . . . . . . . . . . . . . . . . . . .105
SAS 70 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Other Types of Audits . . . . . . . . . . . . . . . . . . . . . . . . .107
Tips for Managing Audits . . . . . . . . . . . . . . . . . . . . . .108
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Chapter 6 Interviews, Bosses, and Staff . . . . . . . . . . 111
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Interviews as the Interviewee . . . . . . . . . . . . . . . . . . . .112
Interview 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Interview 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Interview 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Interview 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Preinterview Questionnaires . . . . . . . . . . . . . . . . . . . .117
Interviews as the Interviewer . . . . . . . . . . . . . . . . . . . .119
Interview 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Interview 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Bosses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Runner-up for the Worst Boss in the World . . . . . . . . .120
Worst Boss in the World . . . . . . . . . . . . . . . . . . . . . . .120
Worst Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Chapter 7 Infrastructure Security . . . . . . . . . . . . . . . . 123
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Network Perimeter Security . . . . . . . . . . . . . . . . . . . .124
The Corporate Firewall . . . . . . . . . . . . . . . . . . . . . . . .126
Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
E-mail Protection . . . . . . . . . . . . . . . . . . . . . . . . . .128
Browser Content Control and Logging . . . . . . . . . .130
Web and FTP Server . . . . . . . . . . . . . . . . . . . . . . .131
Remote Access DMZ . . . . . . . . . . . . . . . . . . . . . . . . .131
Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Remote Access Design Options . . . . . . . . . . . . . . . .132
E-commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Just Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Chapter 8 Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
What Is a Firewall, and What Does It Do? . . . . . . . . . .144
Why Do We Need Firewalls? . . . . . . . . . . . . . . . . . . . .146
Firewall Structure and Design . . . . . . . . . . . . . . . . . . . . . .147
Firewall Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Screening Routers . . . . . . . . . . . . . . . . . . . . . . . . .148
Application-Level Gateways or Proxies . . . . . . . . . .148
Circuit-Level Gateways . . . . . . . . . . . . . . . . . . . . . .149
The Stateful Inspection Firewall . . . . . . . . . . . . . . .149
So What Are the Features You Want from a Firewall? . .151
Stateful Rule Base . . . . . . . . . . . . . . . . . . . . . . . . .151
NAT/PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Antispoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Advanced Logging . . . . . . . . . . . . . . . . . . . . . . . . .155
User-Authenticated Traffic . . . . . . . . . . . . . . . . . . .155
IPSec Termination . . . . . . . . . . . . . . . . . . . . . . . . .156
Ability to Define Your Own Protocols . . . . . . . . . . .156
Time-Based Rules . . . . . . . . . . . . . . . . . . . . . . . . .157
Other Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . .157
Stealth Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Virtualized Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . .158
Commercial Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
The Cisco PIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Adaptive Security Algorithm . . . . . . . . . . . . . . . . .159
Cut-Through Proxy . . . . . . . . . . . . . . . . . . . . . . .161
Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Check Point FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . .164
How It Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
The Gory Details . . . . . . . . . . . . . . . . . . . . . . . . . .167
Security Policy: Global Policies . . . . . . . . . . . . . . . .170
SYNDefender . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Antispoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Chapter 9 Intrusion Detection Systems: Theory . . . . . 175
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Why Bother with an IDS? . . . . . . . . . . . . . . . . . . . . . . . . .178
Problems with Host-Based IDSes . . . . . . . . . . . . . . . . .179
Whether to Use a
HIDS or Not? That Is the Question . . . . . . . . . . . .179
And Is It A Bad Thing? . . . . . . . . . . . . . . . . . . . . . .180
NIDS in Your Hair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Detection Flaws . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Dropped Packets . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Fragment Reassembly . . . . . . . . . . . . . . . . . . . . . . .183
Packet Grepping versus
Protocol Analysis, or Just Not Working Right . . . . .184
Lazy Rule Structure . . . . . . . . . . . . . . . . . . . . . . . .188
Poor Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
SSL and Encryption . . . . . . . . . . . . . . . . . . . . . . . .190
Asymmetric Routing . . . . . . . . . . . . . . . . . . . . . . .192
Poor Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Signature Analysis . . . . . . . . . . . . . . . . . . . . . . . . . .193
Anomalous Traffic Detection . . . . . . . . . . . . . . . . . .195
For the Technically Minded . . . . . . . . . . . . . . . . . . . . . . . .199
Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
RealSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Chapter 10 Intrusion Detection Systems: In Practice 205
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Introduction:Tricks,Tips, and Techniques . . . . . . . . . . . . . .206
Deploying a NIDS: Stealth Mode . . . . . . . . . . . . . . . . .206
Spanning Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Tap Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Failover Monitoring . . . . . . . . . . . . . . . . . . . . . . . .210
Aggregating Different Flows . . . . . . . . . . . . . . . . . .211
Asymmetric Routing . . . . . . . . . . . . . . . . . . . . . . . . . .212
IDS Deployment Methodology . . . . . . . . . . . . . . . . . . . . .213
The Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Step 1: Planning Sensor
Position and Assigning Positional Risk . . . . . . . . . . . . .217
Sensor 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Step 2: Establish Monitoring Policy and Attack Gravity 219
Step 3: Reaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Step 4: Further Action: IPS . . . . . . . . . . . . . . . . . . . . .223
Firewalls, Master Blocking, and Inline IPSes . . . . . . .223
Host Detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Application Interface . . . . . . . . . . . . . . . . . . . . . . . .224
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Information Management . . . . . . . . . . . . . . . . . . . . . . . .225
Log Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Console Management . . . . . . . . . . . . . . . . . . . . . . . . .226
Logical Access Controls . . . . . . . . . . . . . . . . . . . . . .226
Incident Response and Crisis Management . . . . . . . . . . . .227
Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Eradication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
Other Valuable Tips . . . . . . . . . . . . . . . . . . . . . . . . . .230
Test and Tune . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Tune . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Reduce False Positives . . . . . . . . . . . . . . . . . . . . . .231
Reduce False Negatives . . . . . . . . . . . . . . . . . . . . .232
Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Technical Testing . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Covert Penetration Testing . . . . . . . . . . . . . . . . . . .233
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Chapter 11 Intrusion Prevention and Protection . . . . 235
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
What Is an IPS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Active Response: What Can an IPS Do? . . . . . . . . . . . . . .238
A Quick Tour of IPS Implementations . . . . . . . . . . . . . . . .239
Traditional IDSes with Active Response . . . . . . . . . . . .240
In-Line Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
General In-Line IPSes . . . . . . . . . . . . . . . . . . . . . . .242
DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Application Firewall . . . . . . . . . . . . . . . . . . . . . . . .243
Deception Technology . . . . . . . . . . . . . . . . . . . . . . . . .245
Why Would I Want One? . . . . . . . . . . . . . . . . . . . .245
Extended Host OS Protection . . . . . . . . . . . . . . . . . . .246
Why Would I Want One? . . . . . . . . . . . . . . . . . . . .246
Example Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Dealing with DDoS Attacks . . . . . . . . . . . . . . . . . . . . .247
How It Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Scrubbing and Cleansing:The Cisco Guard . . . . . . .249
An Open Source In-Line IDS/IPS: Hogwash . . . . . . . .250
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Chapter 12 Network Penetration Testing . . . . . . . . . . 255
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Types of Penetration Testing . . . . . . . . . . . . . . . . . . . . . . .258
Network Penetration Test . . . . . . . . . . . . . . . . . . . . . . .258
Application Penetration Test . . . . . . . . . . . . . . . . . . . .258
Periodic Network Vulnerability Assessment . . . . . . . . . .258
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Network Penetration Testing . . . . . . . . . . . . . . . . . . . . . .259
An Internet Testing Process . . . . . . . . . . . . . . . . . . . . .259
Test Phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Passive Research . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Network Enumeration and OS Fingerprinting . . . . .262
Host Enumeration . . . . . . . . . . . . . . . . . . . . . . . . .262
Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . .265
Scenario Analysis . . . . . . . . . . . . . . . . . . . . . . . . . .266
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Internal Penetration Testing . . . . . . . . . . . . . . . . . . . . .270
Application Penetration Testing . . . . . . . . . . . . . . . . . .270
Application Pen Test
Versus Application System Testing . . . . . . . . . . . . . .270
Controls and the Paperwork You Need . . . . . . . . . . . . . . .274
Indemnity and Legal Protection . . . . . . . . . . . . . . . . . .274
Scope and Planning . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Success Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . .276
What’s the Difference between a Pen Test and Hacking? . . .276
Who Is the Hacker? . . . . . . . . . . . . . . . . . . . . . . . . . .276
The Digital Blagger: Hacking for Profit . . . . . . . . .277
Hacktivists:The Digital Moral Outrage . . . . . . . . . .277
White Hats:The Digital Whistleblowers . . . . . . . . . .278
Script Kiddies . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
The End of the Story . . . . . . . . . . . . . . . . . . . . . . .279
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Chapter 13 Application Security
Flaws and Application Testing . . . . . . . . . . . . . . . . . . . 281
Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
The Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Configuration Management . . . . . . . . . . . . . . . . . . . . . . .284
Unvalidated Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . .288
SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Command Injection . . . . . . . . . . . . . . . . . . . . . . . . . .294
Bad Identity Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Forceful Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
URL Parameter Tampering . . . . . . . . . . . . . . . . . . . . .297
Insecure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Fixing Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Qwik Fix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
For the More Technically Minded . . . . . . . . . . . . . . . . . . .299
Does It Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303


Another Hacker Books
Another Computer Security Books
Download
No comments:
Labels: ,
Subscribe to: Posts (Atom)
Related Posts with Thumbnails

Put Your Ads Here!