Table of Contents
Technical Editor and Contributor
Knowing What To Expect in the Rest of This Book
Understanding the Current Legal Climate
Chapter 2: The Laws of Security
Client-Side Security Doesn’t Work
You Cannot Securely Exchange Encryption Keys without a Shared Piece of Information
Malicious Code Cannot Be 100 Percent Protected against
Any Malicious Code Can Be Completely Morphed to Bypass Signature Detection
Firewalls Cannot Protect You 100 Percent from Attack
Secret Cryptographic Algorithms Are Not Secure
If a Key Is Not Required, You Do Not Have Encryption—You Have Encoding
Passwords Cannot Be Securely Stored on the Client Unless There Is Another Password to Protect Them
Security through Obscurity Does Not Work
Identifying and Understanding the Classes of Attack
Identifying Methods of Testing for Vulnerabilities
Understanding Vulnerability Research Methodologies
The Importance of Source Code Reviews
Reverse Engineering Techniques
Understanding Cryptography Concepts
Learning about Standard Cryptographic Algorithms
Knowing When Real Algorithms Are Being Used Improperly
Understanding Amateur Cryptography Attempts
Understanding Why Unexpected Data Is Dangerous
Finding Situations Involving Unexpected Data
Using Techniques to Find and Eliminate Vulnerabilities
Utilizing the Available Safety Features in Your Programming Language
Using Tools to Handle Unexpected Data
Learning about Buffer Overflows
Learning Advanced Overflow Techniques
Understanding Format String Vulnerabilities
Why and Where Do Format String Vulnerabilities Exist?
How Format String Exploits Work
Examining a Vulnerable Program
Testing with a Random Format String
Writing a Format String Exploit
Exploring Operating System APIs
Employing Detection Techniques
Understanding Session Hijacking
Playing MITM for Encrypted Communications
Chapter 12: Spoofing: Attacks on Trusted Identity
Establishing Identity within Computer Networks
Down and Dirty: Engineering Spoofing Systems
Strategic Constraints of Tunnel Design
Designing End-to-End Tunneling Systems
Command Forwarding: Direct Execution for Scripts and Pipes
Port Forwarding: Accessing Resources on Remote Networks
When in Rome: Traversing the Recalcitrant Network
Not In Denver, Not Dead: Now What?
Understanding Hardware Hacking
Opening the Device: Housing and Mechanical Attacks
Analyzing the Product Internals: Electrical Circuit Attacks
Example: Hacking the iButton Authentication Token
Example: Hacking the NetStructure 7110 E-commerce Accelerator
Chapter 15: Viruses, Trojan Horses, and Worms
How Do Viruses, Trojans Horses, and Worms Differ?
Dealing with Cross-platform Issues
How to Secure Against Malicious Software
Understanding How Signature-Based IDSs Work
Using Application Protocol Level Evasion
Chapter 17: Automated Security Review and Attack Tools
Learning about Automated Tools
Using Automated Tools for Penetration Testing
Knowing When Tools Are Not Enough
Chapter 18: Reporting Security Problems
Understanding Why Security Problems Need to Be Reported
Determining When and to Whom to Report the Problem