... Network Attack and Defense 367CH A P TER18Network Attack and Defense Whoever thinks his problem can be solved usingcryptography, doesn’t understand his problem and doesn’t understand cryptography.—ATTRIBUTED ... enough, and either does the attack very slowly or does a large number of smallattacks.Chapter 18: Network Attack and Defense 381monoculture today); and that people who stayed calm and didn’t ... Alice shortly beforehand and use the fact that the valueof Y changed in a predictable way between one connection and the next. Modern stacksuse random number generators and other techniques...
... Mil-Specs and Mil-Stds by directing the services and rele-vant defense agencies to “use performance and commercial specifications and standards instead of military specifications and standards, ... Mr. Stephen Lowell and Mr. Bill Lee, Defense Logistics Agency; Mr. Lynn Mohler, U.S. Army StandardizationOffice; and Mr. Clark Walker and Major Walter Hallman, U.S. Air ForceStandardization Office. ... its military specifications and standards reform (MSSR) efforts appeared to beunderfunded. The study had four objectives: first, to define the status ofNavy military specification and standards...
... contemporary virus threats, defense techniques, and books on computer viruses, The Art of Computer Virus Research and Defense is a reference written strictly for white hats: IT and security professionalsresponsible ... over 70 articles and papers on the subject of computer viruses and security for magazines such as VirusBulletin, Chip, Source, Windows NTMagazine, and Information SecurityIT and security professionals ... Scanning and CopyrightMany of the designations used bymanufacturers and sellers to distinguishtheir products are claimed as trademarks.Where those designations appear in thisbook, and the...
... draft responses provided by DP, DPAP and DCMA and agree with their views. DP and DPAP Management Comments. In a joint memorandum dated July 10, 2012, DP and DPAP responded that they strongly ... potential for identifying fraud, waste and abuse, iii. The potential for identifying Federal Acquisition Regulation and Cost Accounting Standard violations, and iv. The need to serve the public ... Management Comments and Our Response. See Finding A, Management Comments, and Finding A, Our Response, regarding those aspects of the joint DPAP and DP response related to DCMA performance and any actions...
... annual budgets and accounts. Controlling interperiod equity calls for appropriate budgeting and accounting systems, and also equity measures, although the latter are in practiceambiguous and controversial.Public ... budgeting and budgetary accounting are traditionally based onthe concepts of expenditure and revenue, and the principle that annual revenuesshould cover annual expenditures, i.e. the budgetsand ... 102.61million) and the total balance for 2004–2007 is EUR 79.67 million7(see Table 4 and Figure 2). The surplus for 2005 is sufficient to cover the deficit spending and balance the budget and accounts...
... DOES THE WEB APPLICATION REQUIRE AUTHENTICATION OF THE USER?Many Web applications require another server authenticate usersExamine how information is passed between the two serversEncrypted channelsVerify that logon and password information is stored on secure placesAuthentication servers introduce a second target443734APPLICATION VULNERABILITIES COUNTERMEASURES (CONTINUED)Top10 Web application vulnerabilities (continued)Remote administration flawsAttacker can gain access to the Web server through the remote administration interfaceWeb and application server misconfigurationAny Web server software out of the box is usually vulnerable to attackDefault accounts and passwordsOverly informative error messages3216WEB FORMSUse the <form> element or tag in an HTML documentAllows customer to submit information to the Web serverWeb servers process information from a Web form by using a Web applicationEasy way for attackers to intercept data that users submit to a Web server7APPLICATION VULNERABILITIES COUNTERMEASURESOpen Web Application Security Project (OWASP)Open, notforprofit organization dedicated to finding and fighting vulnerabilities in Web applicationsPublishes the Ten Most Critical Web Application Security VulnerabilitiesTop10 Web application vulnerabilitiesUnvalidated parametersHTTP requests are not validated by the Web serverBroken access controlDevelopers implement access controls but fail to test them properly29USING SCRIPTING LANGUAGESDynamic Web pages can be developed using scripting languagesVBScriptJavaScriptPHP18OPEN DATABASE CONNECTIVITY (ODBC) (CONTINUED)ODBC definesStandardized representation of data typesA library of ODBC functionsStandard methods of connecting to and logging on to a DBMS24WEB APPLICATION COMPONENTSStatic Web pagesCreated using HTMLDynamic Web pagesNeed special components<form> tagsCommon Gateway Interface (CGI)Active Server Pages (ASP)PHPColdFusionScripting languagesDatabase connectors6APACHE WEB SERVERTomcat Apache is another Web Server programTomcat Apache hosts anywhere from 50% to 60% of all Web sitesAdvantagesWorks on just about any *NIX and Windows platformIt is freeRequires Java 2 Standard Runtime Environment (J2SE, version 5.0)15ON WHAT PLATFORM WAS THE WEB APPLICATION DEVELOPED?Several different platforms and technologies can be used to develop Web applicationsAttacks differ depending on the platform and technology used to develop the applicationFootprinting is used to find out as much information as possible about a target systemThe more you know about a system the easier it is to gather information about its vulnerabilities45OPEN DATABASE CONNECTIVITY (ODBC)Standard database access method developed by the SQL Access GroupODBC interface allows an application to accessData stored in a database management systemAny system that understands and can issue ODBC commandsInteroperability among backend DBMS is a key feature of the ODBC interface2348UNDERSTANDING WEB APPLICATIONSIt is nearly impossible to write a program without bugsSome bugs create security vulnerabilitiesWeb applications also have bugsWeb applications have a larger user base than standalone applicationsBugs are a bigger problem for Web applications5DOES THE WEB APPLICATION CONNECT TO A BACKEND DATABASE SERVER? (CONTINUED)Basic testing should look forWhether you can enter text with punctuation marksWhether you can enter a single quotation mark followed by any SQL keywordsWhether you can get any sort of database error when attempting to inject SQL43DOES THE WEB APPLICATION USE DYNAMIC WEB PAGES?Static Web pages do not create a security environmentIIS attack exampleSubmitting a specially formatted URL to the attacked Web serverIIS does not correctly parse the URL informationAttackers could launch a Unicode exploithttp://www.nopatchiss.com/scripts/ ... DOES THE WEB APPLICATION REQUIRE AUTHENTICATION OF THE USER?Many Web applications require another server authenticate usersExamine how information is passed between the two serversEncrypted channelsVerify that logon and password information is stored on secure placesAuthentication servers introduce a second target443734APPLICATION VULNERABILITIES COUNTERMEASURES (CONTINUED)Top10 Web application vulnerabilities (continued)Remote administration flawsAttacker can gain access to the Web server through the remote administration interfaceWeb and application server misconfigurationAny Web server software out of the box is usually vulnerable to attackDefault accounts and passwordsOverly informative error messages3216WEB FORMSUse the <form> element or tag in an HTML documentAllows customer to submit information to the Web serverWeb servers process information from a Web form by using a Web applicationEasy way for attackers to intercept data that users submit to a Web server7APPLICATION VULNERABILITIES COUNTERMEASURESOpen Web Application Security Project (OWASP)Open, notforprofit organization dedicated to finding and fighting vulnerabilities in Web applicationsPublishes the Ten Most Critical Web Application Security VulnerabilitiesTop10 Web application vulnerabilitiesUnvalidated parametersHTTP requests are not validated by the Web serverBroken access controlDevelopers implement access controls but fail to test them properly29USING SCRIPTING LANGUAGESDynamic Web pages can be developed using scripting languagesVBScriptJavaScriptPHP18OPEN DATABASE CONNECTIVITY (ODBC) (CONTINUED)ODBC definesStandardized representation of data typesA library of ODBC functionsStandard methods of connecting to and logging on to a DBMS24WEB APPLICATION COMPONENTSStatic Web pagesCreated using HTMLDynamic Web pagesNeed special components<form> tagsCommon Gateway Interface (CGI)Active Server Pages (ASP)PHPColdFusionScripting languagesDatabase connectors6APACHE WEB SERVERTomcat Apache is another Web Server programTomcat Apache hosts anywhere from 50% to 60% of all Web sitesAdvantagesWorks on just about any *NIX and Windows platformIt is freeRequires Java 2 Standard Runtime Environment (J2SE, version 5.0)15ON WHAT PLATFORM WAS THE WEB APPLICATION DEVELOPED?Several different platforms and technologies can be used to develop Web applicationsAttacks differ depending on the platform and technology used to develop the applicationFootprinting is used to find out as much information as possible about a target systemThe more you know about a system the easier it is to gather information about its vulnerabilities45OPEN DATABASE CONNECTIVITY (ODBC)Standard database access method developed by the SQL Access GroupODBC interface allows an application to accessData stored in a database management systemAny system that understands and can issue ODBC commandsInteroperability among backend DBMS is a key feature of the ODBC interface2348UNDERSTANDING WEB APPLICATIONSIt is nearly impossible to write a program without bugsSome bugs create security vulnerabilitiesWeb applications also have bugsWeb applications have a larger user base than standalone applicationsBugs are a bigger problem for Web applications5DOES THE WEB APPLICATION CONNECT TO A BACKEND DATABASE SERVER? (CONTINUED)Basic testing should look forWhether you can enter text with punctuation marksWhether you can enter a single quotation mark followed by any SQL keywordsWhether you can get any sort of database error when attempting to inject SQL43DOES THE WEB APPLICATION USE DYNAMIC WEB PAGES?Static Web pages do not create a security environmentIIS attack exampleSubmitting a specially formatted URL to the attacked Web serverIIS does not correctly parse the URL informationAttackers could launch a Unicode exploithttp://www.nopatchiss.com/scripts/ ... DOES THE WEB APPLICATION REQUIRE AUTHENTICATION OF THE USER?Many Web applications require another server authenticate usersExamine how information is passed between the two serversEncrypted channelsVerify that logon and password information is stored on secure placesAuthentication servers introduce a second target443734APPLICATION VULNERABILITIES COUNTERMEASURES (CONTINUED)Top10 Web application vulnerabilities (continued)Remote administration flawsAttacker can gain access to the Web server through the remote administration interfaceWeb and application server misconfigurationAny Web server software out of the box is usually vulnerable to attackDefault accounts and passwordsOverly informative error messages3216WEB FORMSUse the <form> element or tag in an HTML documentAllows customer to submit information to the Web serverWeb servers process information from a Web form by using a Web applicationEasy way for attackers to intercept data that users submit to a Web server7APPLICATION VULNERABILITIES COUNTERMEASURESOpen Web Application Security Project (OWASP)Open, notforprofit organization dedicated to finding and fighting vulnerabilities in Web applicationsPublishes the Ten Most Critical Web Application Security VulnerabilitiesTop10 Web application vulnerabilitiesUnvalidated parametersHTTP requests are not validated by the Web serverBroken access controlDevelopers implement access controls but fail to test them properly29USING SCRIPTING LANGUAGESDynamic Web pages can be developed using scripting languagesVBScriptJavaScriptPHP18OPEN DATABASE CONNECTIVITY (ODBC) (CONTINUED)ODBC definesStandardized representation of data typesA library of ODBC functionsStandard methods of connecting to and logging on to a DBMS24WEB APPLICATION COMPONENTSStatic Web pagesCreated using HTMLDynamic Web pagesNeed special components<form> tagsCommon Gateway Interface (CGI)Active Server Pages (ASP)PHPColdFusionScripting languagesDatabase connectors6APACHE WEB SERVERTomcat Apache is another Web Server programTomcat Apache hosts anywhere from 50% to 60% of all Web sitesAdvantagesWorks on just about any *NIX and Windows platformIt is freeRequires Java 2 Standard Runtime Environment (J2SE, version 5.0)15ON WHAT PLATFORM WAS THE WEB APPLICATION DEVELOPED?Several different platforms and technologies can be used to develop Web applicationsAttacks differ depending on the platform and technology used to develop the applicationFootprinting is used to find out as much information as possible about a target systemThe more you know about a system the easier it is to gather information about its vulnerabilities45OPEN DATABASE CONNECTIVITY (ODBC)Standard database access method developed by the SQL Access GroupODBC interface allows an application to accessData stored in a database management systemAny system that understands and can issue ODBC commandsInteroperability among backend DBMS is a key feature of the ODBC interface2348UNDERSTANDING WEB APPLICATIONSIt is nearly impossible to write a program without bugsSome bugs create security vulnerabilitiesWeb applications also have bugsWeb applications have a larger user base than standalone applicationsBugs are a bigger problem for Web applications5DOES THE WEB APPLICATION CONNECT TO A BACKEND DATABASE SERVER? (CONTINUED)Basic testing should look forWhether you can enter text with punctuation marksWhether you can enter a single quotation mark followed by any SQL keywordsWhether you can get any sort of database error when attempting to inject SQL43DOES THE WEB APPLICATION USE DYNAMIC WEB PAGES?Static Web pages do not create a security environmentIIS attack exampleSubmitting a specially formatted URL to the attacked Web serverIIS does not correctly parse the URL informationAttackers could launch a Unicode exploithttp://www.nopatchiss.com/scripts/...
... 173SmartDefense Chapter 7 SmartDefense The Need for SmartDefense 178SmartDefense Solution 180Introducing SmartDefense 180Defending Against the Next Generation of Threats 181Network and Transport ... and Methods by Source and Destination 379Basic URL Filtering 380URL Logging 380Java and ActiveX Security 381Securing XML Web Services (SOAP) 382Understanding HTTP Sessions, Connections and ... username and password management) and authentication methods (how users authenticate).Firewall and SmartDefenseAdministration GuideVersion NGX R65701682 March 13, 2007Section 3: SmartDefense...
... discussion and its impacts on speaking and its impacts on speaking ability of the non-major ability of the non-major students at the post-students at the post-elementary level in Military ... participants in PTP group performed better and more accurately than those in NP group in terms of EFVF and EFNF (in terms of tense, subject verb agreement and pronouncing morpheme-s in plurality ... complexity and accuracy.-Find out other factors affect students’ speaking competence-experiment in higher or mixed proficiency level students -Include the subjects of both male and female...
... Education and GDP United StatesUnited KingdomSwitzerlandSwedenSpainPortugalPolandNorwayNew ZealandNetherlandsKoreaJapanItalyIrelandIcelandHungaryGreeceGermanyFranceFinlandDenmarkCzech ... education spendingand student performance in developed countries. Greenwald, Hedges, and Laine (1996), Hanushek and Kimko (2000), and Hanushek (2002) The empirical evidence for a direct and ... FinlandFranceGermanyGreeceHungary Iceland IrelandItalyJapan KoreaLuxembourgNetherlandsNew Zealand NorwayPoland PortugalSlovak Republic SpainSwedenSwitzerland United Kingdom United States9998099990100000200...
... Under Secretary of Defense for Acquisition,Technology, and Logistics and current Director of the Center forPublic Policy and Private Enterprise at the University of Maryland; and RAND Senior Economist ... focusing mainly on theU.S. and European aerospace industries and stressing new and innovative types of approaches.Analysis of aerospace anddefense industry trade and investmentdata suggests ... Department of Defense DoDD Department of Defense DirectiveDoDI Department of Defense InstructionDoS Department of StateDSB Defense Science BoardDSCA Defense Security Cooperation AgencyDSS Defense...