1. Server Side Security
1.1. Open Web Application Security Project( OWASP)
1.1.1. 1. Injection
1.1.1.1. SQL Injection
1.1.1.1.1. ' OR 1 = 1'
1.1.1.2. Counter measures
1.1.1.2.1. escaping
1.1.1.2.2. prepared statements (Java)
1.1.1.2.3. parameter collection (.NET)
1.1.2. 2. Cross-Site Scripting (XSS)
1.1.2.1. Reflected XSS
1.1.2.1.1. Link an Opfer mit JS Code
1.1.2.2. Stored XSS
1.1.2.2.1. Daten speichern (Forum)
1.1.3. 3. Broken Authentication and Session Management
1.1.3.1. Verbose login forms (Username is wrong)
1.1.3.2. Session-IDs stored in server logs
1.1.3.3. Prevention
1.1.3.3.1. Send session id over HTTPS only
1.1.3.3.2. Use restrictive cookie parameters
1.1.3.3.3. Use non-persistent session tracking techniques
1.1.3.3.4. Non-guessable session ids
1.1.3.3.5. Provide a logout button for users
1.1.3.3.6. Change Session after successful authentication
1.1.4. 4. Insecure Direct Object Reference
1.1.4.1. Access to lower layer/backend with a technincal user
1.1.4.2. access to restricted sites
1.1.5. 5. Cross-Site Request Forgery (XSRF)
1.1.5.1. Prevention
1.1.5.1.1. nonce for special actions (buy, sell ...)
1.1.6. 6. Security Misconfiguration
1.1.6.1. Telling about system (exposing details)
1.1.7. 7. Insecure Cryptographic Storage
1.1.7.1. eg. passwords stored in cleartext
1.1.7.2. using own "security algorithms"
1.1.7.3. keys/salt publicly available
1.1.7.4. hash=SHA-256(password + salt) => store hash, salt
1.1.8. 8. Failure to Restrict URL Access
1.1.8.1. Pages with admin actions are not or weakly protected
1.1.8.2. Access to pages, which aren't allowed with the logged in profile
1.1.8.3. evaluating user rights only on the client
1.1.8.4. Prevention
1.1.8.4.1. Input Validation
1.1.8.4.2. Server Hardening
1.1.9. 9. Insufficient Transport Layer Protect
1.1.9.1. Vulnerabilities
1.1.9.1.1. SSL/TLS missing
1.1.9.1.2. Weak SSL version enabled (SSLv2)
1.1.9.1.3. Weak cipher suites enabled (e.g. NULL cipher)
1.1.9.1.4. Invalid server certificate
1.1.9.1.5. Weak server certificate
1.1.9.2. Remediation
1.1.9.2.1. Enable SSL/TLS to protect session information
1.1.9.2.2. Enable SSLv3, TLSv1 only
1.1.9.2.3. Enable strong cipher suites only (SHA-1 in combination with AES-128+)
1.1.9.2.4. Acquire publicly trusted server certificate
1.1.9.2.5. Ensure certificate key material has at least 2048 Bits
1.1.10. 10. Unvalidated Redirects and Forwards
1.1.10.1. Prevention
1.1.10.1.1. Validate parameters containing redirect URLs
1.1.10.1.2. Use "symbols" for redirections which get mapped to URLs server-side
1.1.10.1.3. Prefix URL with / to get an URL relative to the current site
1.1.11. OWASP Enterprise Security API (ESAPI)
1.2. OSSTMM
1.2.1. Open Source Security Testing Methodology Manual
1.2.2. Netzwerk Security, weniger Anwendungsecurity
1.2.3. Vorgehen
1.2.3.1. Quantifizierbarkeit / RAV (Risk Assesment Value)
1.2.3.2. Verhaltenskodex für Tester
1.2.3.3. Security Test Audit Report
1.2.3.3.1. Dokumentation
1.2.3.4. Vollständigkeit und Genauigkeit
1.2.3.5. Gesetzt- und Standartkonform
1.2.3.6. Zertifizierungsmöglichkeit
1.2.4. Components
1.2.4.1. Physical Security
1.2.4.1.1. Human
1.2.4.2. Spectrum Security
1.2.4.2.1. Wireless
1.2.4.3. Communications Security
1.2.4.3.1. Data Networks
1.2.4.3.2. Telecommunications
1.2.5. Definition Security Test Scope
1.2.5.1. Assets/Targets Definition
1.2.5.2. Areas of interactions
1.2.5.3. External impacts on assets
1.2.5.4. Interactions of asset with itself and outside
1.2.5.5. Equipment needed for test
1.2.5.6. Expected results of the test
1.2.5.7. Compliance with rules of engagement
2. True Random Number Generation
2.1. HMAC
2.2. Sources
2.2.1. Key Stroke Timing
2.2.2. Mouse Movements
2.2.3. Sample Sound Card Input
2.2.3.1. verify entropy
2.2.3.2. but pretty in combination with other methods
2.2.4. Network Packet Arrival Time
2.2.4.1. can be manipulated
2.2.5. Serial numbers
2.2.5.1. very, very bad idea, can be guessed / calculated
2.2.6. Lava Lamps
2.2.7. Radioactive Decay
3. Voice-over-IP Security
3.1. Securing the media stream
3.1.1. SRTP
3.1.1.1. needs secret master key
3.1.1.2. Multimedia Internet KEYing
3.1.2. IPsec
3.1.2.1. IKE
3.1.2.2. large overhead in RTP audio packet
3.1.2.2.1. 60 - 80 bytes / packet
3.2. MIKEY
3.2.1. Diffie Hellman
3.2.2. RSA Public Key Encryption Method
4. Buffer Overflows
5. Software Security
6. Web Services Security
7. Client Side Security
8. Risk Management
8.1. Risiko
8.1.1. Assets (Information)
8.1.2. Protection
8.1.3. Vulernabilities
8.1.4. Threats
8.2. ISO
8.2.1. 27005
8.2.1.1. Information security risk management
8.2.2. 27001
8.2.2.1. Risikoidentifikation
8.2.2.2. Risikobewertung
8.2.2.2.1. Fehler-Möglichkeits- und Einflus-Analyse
8.2.2.2.2. Hazard and Operability Study
8.2.2.2.3. Hazard Analysis and Critical Control Points
8.2.2.2.4. Zurich Hazard Analysis
8.2.2.2.5. NIST - Risk Management Guide for Information Technology Systems
8.2.2.3. Risikosteuerung
8.2.2.3.1. Vermeiden
8.2.2.3.2. Vermindern
8.2.2.3.3. Abwälzen
8.2.2.3.4. Selbst tragen
8.2.2.4. Risikoüberwachung, Reporting
8.2.3. 27002
8.2.3.1. von BSI UK
8.3. British Standards Insitute
8.3.1. BS 25999 (BCM)
8.3.1.1. Analysis
8.3.1.2. Solution Design
8.3.1.3. Implementation
8.3.1.4. Testing and organization acceptance
8.3.1.5. Maintenance
8.4. BSI Grundschutzhandbuch
8.4.1. Schichten
8.4.1.1. Anwendungen
8.4.1.2. übergreifende Aspekte
8.4.1.3. Infrastruktur
8.4.1.4. IT-Systeme
8.4.1.5. Netze/Netzwerke
8.4.2. Gefährdungskatalog
8.4.2.1. höhere Gewalt
8.4.2.1.1. Blitz, Unwetter, Feuer, Wasser, Krankheit
8.4.2.2. Technisches Versagen
8.4.2.2.1. Ausfall von Komponenten (Disk, Power)
8.4.2.3. Organisatorische Mängel
8.4.2.3.1. Zuständigkeiten nicht klar
8.4.2.4. Menschliches Fehlverhalten
8.4.2.4.1. Fehler beim Einspielen von Patches, Auskunft an falsche Personen (Social Engineering), vertrauliche Informationen im Zug diskutiert
8.4.2.5. vorsätzliche Handlungen
8.4.2.5.1. Hacking, Vandalismus, Einspielen von Malware
8.4.3. Massnahmenkatalog
8.4.3.1. Infrastruktur
8.4.3.2. Hardware/Software
8.4.3.3. Kommunikation
8.4.3.4. Organisation
8.4.3.5. Personal
8.4.3.6. Notfallvorsorge
9. Smartcards
9.1. Filesystem
9.1.1. 3F00 MF
9.1.1.1. Root Directory
9.1.2. 0000 EF
9.1.2.1. Pin & Puk #1
9.1.3. 0100 EF
9.1.3.1. Pin & Puk #2
9.1.4. 0011 EF
9.1.4.1. Management Keys
9.1.5. 0001 EF
9.1.5.1. Application Keys
9.2. Usage
9.2.1. Public Key based login
9.2.2. SSL/TLS client side authentication
9.2.3. S/MIME
9.2.4. VPN User/Host authentication
10. Anonymity
10.1. Mix Functionality
10.1.1. Drop message duplicates
10.1.1.1. doppelt ankommende Packete löschen, da sonst Packete verfolgt werden können
10.1.2. Decryption
10.1.2.1. Server muss mit privatem Schlüssel Packet entpacken, um nächsten HOP zu erkennen und mit richtigem Schlüssel zu verschlüsseln
10.1.3. Message re-sorting buffer
10.1.3.1. soll Timing-Analysis-Attack verhindern
10.1.3.2. Packete verlassen HOP in zufälliger Reihenfolge