Wireless Java Developing With J2ME, 2nd Ed 2003

The Structure of this Book

This book is organized into fifteen chapters and one appendix. There are basically three sections. The first two chapters are introductory material. Chapters 3 through 12 provide complete coverage of the MIDP APIs. Chapters 13 through 15 cover advanced topics. The complete breakdown of chapters is listed here:

• Chapter 1, "Introduction," provides context and motivation for the rest of the book. J2ME is explained in detail, gradually zooming in to MIDP.

• Chapter 2, "Building MIDlets," is intended to be a teaser. It includes an example application that allows you to look up the definitions of words over the Internet using any MIDP device. Along the way you'll learn a lot about developing applications for the MIDP platform.

• Chapter 3, "All About MIDlets," goes into detail about the life cycle and packaging of MIDP applications. It includes new material on the MIDP 2.0 security architecture.

• Chapter 4, "Almost the Same Old Stuff," describes the pieces of the MIDP API that will be familiar to Java programmers.

• Chapter 5, "Creating a User Interface," is the first of a handful of chapters devoted to MIDP's user-interface packages. It provides an overview of MIDP's user-interface package and goes into detail about the simple visual components.

• Chapter 6, "Lists and Forms," picks up where Chapter 5 left off, describing MIDP's advanced user-interface components.

• Chapter 7, "Custom Items," shows how to create your own form items in MIDP 2.0.

• Chapter 8, "Persistent Storage," describes MIDP's mechanism for storing data.

• Chapter 9, "Connecting to the World," contains all the juicy details about how MIDP applications can send and receive data over the Internet.

• Chapter 10, "Programming a Custom User Interface," describes the low level API that can be used for specialized application user interfaces.

• Chapter 11, "The Game API," describes MIDP 2.0's new features for creating games, including sprites and tiled layers.

• Chapter 12, "Sound and Music," is all about MIDP 2.0's new multimedia capabilities. You'll learn how to produce simple tones as well as play sampled audio data.

• Chapter 13, "Performance Tuning," describes techniques for coping with the limited resources that are available on small devices.

• Chapter 14, "Parsing XML," examines the spectrum of small XML parsers that are currently available. It describes how to port parsers to MIDP and briefly discusses the usage involved with each parser.

• Chapter 15, "Protecting Network Data," discusses how to protect valuable data on the insecure Internet. It includes two sample applications that demonstrate cryptographic techniques for protecting data.

• Finally, an Appendix contains a complete API reference for the classes and interfaces that make up MIDP. The method signatures for the public API of each class and interface are listed for handy quick reference. In this second edition, the API reference is flagged to make it easy to see which methods are new in MIDP 2.0.
Read Comments To Download

Wireless Maximum Security 2006

Introduction

"Friday night is "make-it". After the meeting we slip away into the darkness, the cold night flogging us with a primal urgency. Tonight we hack Dallas. Crouched in a tricked-out SUV—ebony with tinted windows—the bizarre array of protruding antennas makes us a giant insect. We crawl along the Richardson Telecom Corridor, our faces deathly pallid in the glow of a laptop. It starts immediately, the walls of network security melting around us like ice. Within moments, the largest networks fly open. Nortel—28 access points—all wide open. Driving a little farther, our antenna starts to hum. Fujitsu, Ericsson, Alcatel…hundreds of unsecured portals streaming down our laptop in a torrent. A few are encrypted, albeit weakly, but most are bereft of even a password. And we know that they are ours. And we feel ourselves rising, towering above these buildings of steel and glass, and like gods we look down on them in scorn and pity. And then we enter…"

After the conference venue kicked us out at midnight, many followed us to a local coffee shop, where we continued teaching until close to dawn. Since that fateful night, the attendees (many of whom have since become close friends) have hounded us for any written material we could spare. This convinced us of the urgency for a printed reference on the subject.

This book is an answer to that urgency. This is the most practical guide to wireless security ever written, bar none. However, this book does not disparage any of the other excellent texts on the subject. In fact, the author of a competing wireless security book was kind enough to be our technical reviewer. Thus, we encourage other wireless security books as complementary. However, if you really want to learn how to war drive, then read this book first. If you do not audit your own wireless network very soon, then someone else will do it for you—with malicious intent.

Above all else, this is meant to be a "practical" book. Although there is plenty of theory in here for the hobbyist, the emphasis in this book is where the rubber meets the road. We start with theory, but quickly implement it using practical examples and real-world applications. After reading this book, you will know exactly how to lock down your wireless networks, step-by-step. Although the technical level is advanced, examples and case studies facilitate the material.

This book is targeted toward the security consultant, network administrator, IT manager, and "ethical" hacker. The text assumes basic experience with networking in either Windows or Linux. No prior wireless security experience is required. The level of material will appeal to the intermediate to expert practitioner.

The book is divided into the following main sections:

• Part I: Wireless Fundamentals— An introduction that includes wireless programming and WEP theory.

• Part II: Wireless Threats— A cookbook for attacking and cracking your own wireless networks for self-defense; includes airborne viruses.

• Part III: Tools of the Trade— A detailed and comprehensive review of the best wireless security tools, including step-by-step instructions for implementation.

• Part IV: Wireless Security— A guide to locking down your wireless networks; this includes WLANs, 3G wireless PKI, and WAP.

For those who still doubt the perilous state of wireless security, consider the findings of one researcher who went war driving in Alexandria, VA and found a vulnerability at the Defense Information Systems Agency (DISA) headquarters. DISA, which houses the Defense Department's Global Network Operations Center and Computer Emergency Response Team, was using a wireless LAN to control the security cameras in its front yard—without using even the most basic WEP encryption.
Read Comments To Download

Network Security With OpenSSL 2002

About This Book

The Internet is a dangerous place, more dangerous than most people realize. Many technical people know that it's possible to intercept and modify data on the wire, but few realize how easy it actually is. If an application doesn't properly protect data when it travels an untrusted network, the application is a security disaster waiting to happen.

The SSL (Secure Socket Layer) protocol and its successor TLS (Transport Layer Security) can be used to secure applications that need to communicate over a network. OpenSSL is an open source library that implements the SSL and TLS protocols, and is by far the most widely deployed, freely available implementation of these protocols. OpenSSL is fully featured and cross-platform, working on Unix and Windows alike. It's primarily used from C and C++ programs, but you can use it from the command line (see Chapter 1 through Chapter 3) and from other languages such as Python, Perl, and PHP (see Chapter 9).

In this book, we'll teach developers and administrators how to secure applications with OpenSSL. We won't just show you how to SSL-enable your applications, we'll be sure to introduce you to the most significant risks involved in doing so, and the methods for mitigating those risks. These methods are important; it takes more work to secure an SSL-enabled application than most people think, especially when code needs to run in multithreaded, highly interoperable environments where efficiency is a concern.

OpenSSL is more than just a free implementation of SSL. It also includes a general-purpose cryptographic library, which can be useful for situations in which SSL isn't an appropriate solution. Working with cryptography at such a low level can be dangerous, since there are many pitfalls in applying cryptography of which few developers are fully aware. Nonetheless, we do discuss the available functionality for those that wish to use it. Additionally, OpenSSL provides some high-level primitives, such as support for the S/MIME email standard.

The bulk of this book describes the OpenSSL library and the many ways to use it. We orient the discussion around working examples, instead of simply providing reference material. We discuss all of the common options OpenSSL users can support, as well as the security implications of each choice.

Depending on your needs, you may end up skipping around in this book. For people who want to use OpenSSL from the command line for administrative tasks, everything they need is in the first three chapters. Developers interested in SSL-enabling an application can probably read Chapter 1, then skip directly to Chapter 5 (though they will have to refer to parts of Chapter 4 to understand all the code).

Here's an overview of the book's contents:

Chapter 1

This chapter introduces SSL and the OpenSSL library. We give an overview of the biggest security risks involved with deploying the library and discuss how to mitigate them at a high level. We also look at how to use OpenSSL along with Stunnel to secure third-party software, such as POP servers that don't otherwise have built-in SSL support.

Chapter 2

Here we discuss how to use basic OpenSSL functionality from the command line, for those who wish to use OpenSSL interactively, call out to it from shell scripts, or interface with it from languages without native OpenSSL support.

Chapter 3

This chapter explains the basics of Public Key Infrastructure (PKI), especially as it manifests itself in OpenSSL. This chapter is primarily concerned with how to go about getting certificates for use in SSL, S/MIME, and other PKI-dependent cryptography. We also discuss how to manage your own PKI using the OpenSSL command line, if you so choose.

Chapter 4

In this chapter, we talk about the various low-level APIs that are most important to OpenSSL. Some of these APIs need to be mastered in order to make full use of the OpenSSL library. Particularly, we lay the foundation for enabling multithreaded application support and performing robust error handling with OpenSSL. Additionally, we discuss the OpenSSL IO API, its randomness API, its arbitrary precision math API, and how to use cryptographic acceleration with the library.

Chapter 5

Here we discuss the ins and outs of SSL-enabling applications, particularly with SSLv3 and its successor, TLSv1. We not only cover the basics but also go into some of the more obscure features of these protocols, such as session resumption, which is a tool that can help speed up SSL connection times in some circumstances.

Chapter 6

This chapter covers everything you need to know to use OpenSSL's interface to secret-key cryptographic algorithms such as Triple DES, RC4, and AES (the new Advanced Encryption Standard). In addition to covering the standard API, we provide guidelines on selecting algorithms that you should support for your applications, and we explain the basics of these algorithms, including different modes of operation, such as counter mode. Additionally, we talk about how to provide some security for UDP-based traffic, and discuss general considerations for securely integrating symmetric cryptography into your applications.

Chapter 7

In this chapter, we discuss how to use nonreversible (one-way) cryptographic hash functions, often called message digest algorithms. We also show how to use Message Authentication Codes (MACs), which can be used to provide data integrity via a shared secret. We show how to apply MACs to ensure that tampering with HTTP cookies will be detected.

Chapter 8

Here we talk about the various public key algorithms OpenSSL exports, including Diffie-Hellman key exchange, the Digital Signature Algorithm (DSA), and RSA. Additionally, we discuss how to read and write common storage formats for public keys.

Chapter 9

This chapter describes how to use OpenSSL programmatically from Perl using the Net::SSLeay package, from Python using the M2Crypto library, and from PHP.

Chapter 10

In this chapter, we discuss many of the more esoteric parts of the OpenSSL API that are still useful, including the OpenSSL configuration API, creating and using S/MIME email, and performing certificate management programmatically.
Read Comments To Download This Guide

Network Security Bible 2005

The Goal of This Book

Network Security Bible provides comprehensive coverage of the fundamental con­cepts of network security and the processes and means required to implement a secure network. The goal of this text is to provide the reader with an understanding of security engineering processes and network security best practices, including in-depth specifics on the following topics:

♦ Windows
♦ UNIX
♦ Linux
♦ The World Wide Web
♦ E-mail
♦ Risk management
♦ Server applications
♦ Domain Name Systems (DNS)
♦ Communications security

Other topics are aimed at providing the reader with insight into information assurance through clear and thorough tutorials on the latest information, including security assessment, evaluation, and testing techniques. This up-to-date and applicable knowl­edge will benefit practitioners in the commercial, government, and industrial sectors.

Network Security Bible meets the needs of information security professionals and other individuals who have to deal with network security in their everyday activi­ties. It is truly an all-inclusive reference that tells you why and how to achieve a secure network in clear and concise terms.

The Five Parts of This Book

Network Security Bible is organized into the following five parts:
♦ Part I: Security Principles and Practices
♦ Part II: Operating Systems and Applications
♦ Part III: Network Security Fundamentals
♦ Part IV: Communications
♦ Part V: The Security Threat and Response

The flow of the material is designed to provide a smooth transition from fundamen­tal principles and basic knowledge to the practical details of network security. In this manner, the text can serve as a learning mechanism for people new to the field as well as a valuable reference and guide for experienced professionals.

Part I: Security Principles and Practices

Part I provides a background in the fundamentals of information system security. Specifically, it comprises chapters on information system security principles, infor­mation system security management, and access control.

♦ Chapter 1: Information System Security Principles. It is important that the network security practitioner be intimately familiar with the fundamental tenets of information system security, particularly the concepts of confiden­tiality, integrity, and availability (CIA). These topics are explained in detail in this chapter and then related to threats, vulnerabilities, and possible impacts of threats realized. After covering these basic topics, the formal processes of systems engineering (SE), information systems security engineering (ISSE), the systems development life cycle (SDLC), and the relationship of network security to the SDLC are explained. These subject areas provide the reader with an excellent understanding of applying standard rules to incorporate information system security into system development activities. These skills are particularly valuable to individuals working in large companies that need the discipline provided by these methods and to government organizations required to apply formal information security approaches in their everyday operations.

♦ Chapter 2: Information System Security Management. To continue to pro­vide a basis for delving into network security issues, this chapter discusses the important, but sometimes neglected, roles of management and administra­tion in implementing good network security. All personnel in an organization should be aware of the information security policies, procedures, and guide­lines and practice them on an ongoing basis. The existence of these docu­ments and practices are of critical importance to an organization and should be incorporated into the organization’s routine operations. For example, the seemingly innocuous requirement of requiring critical personnel to take vaca­tion time in blocks of a week or more might reveal covert and illegal activities on the part of those individuals when they are replaced by new personnel during the vacation interval. Also, corporate officers will be exposed to legal liability if they do not have policies in place addressing the protection of the organization’s intellectual property and other critical information.

Chapter 2 also provides clear and concise guidelines on the best practices to ensure the continuity of an organization’s critical operations during and after a disaster. Business continuity planning (BCP) and disaster recover planning (DRP) approaches are explained and illustrated, providing for continuity of critical business functions and networked information systems, respectively.

♦ Chapter 3: Access Control Considerations. Controlling access to critical net­work and computer resources is one of the most important requirements for any organization. Chapter 4 defines and illustrates the concepts of identifying a user or process to an information system, verifying the identity of that user or process (authentication), and granting access privileges to specific resources (authorization). In addition, this chapter covers the methods of implementing secure access to information systems from remote sites.
Part II: Operating Systems and Applications

In the second part of this book, the security issues and solutions associated with operating systems such as Windows, UNIX, and Linux are detailed. Following these topics, Web browser security, Web security, e-mail security, domain name systems, and server applications are addressed. The authors provide insights and directions to implementing operating system and Web security based on their extensive expe­rience in these areas.

♦ Chapter 4: Windows Security. Because the many versions of the Windows operating system that are in widespread use, their security vulnerabilities pose serious threats to their host computers. Chapter 4 reviews these secu­rity problems and offers steps to be taken to securely install Windows, harden the operating system, operate securely, and maintain a safe system.

♦ Chapter 5: UNIX and Linux Security. UNIX and the open source Linux operat­ing systems are becoming increasingly popular as counters to the reliability problems of the Windows operating systems. Thus, network security aspectsof UNIX and Linux are covered in Chapter 5, including kernel issues, extrane­ous services, and specific services such as NFS, Sendmail, BIND, and RIP.

♦ Chapter 6: Web Browser and Client Security. Web browsers pose serious threats to the security of their host machines and this chapter explores the sources of those threats, focusing on the Netscape and Internet Explorer browsers. The authors provide their solutions to securing a Web browser and protecting corporate portals.

♦ Chapter 7: Web Security. Building on the information and solutions presented for Web browsers, Chapter 7 continues by examining the Hypertext Transfer Protocol (HTTP); Common Gateway Interface (CGI) security issues; privacy concerns associated with cookies, hidden fields and URL tracking; auditing; and the secure implementation of e-commerce applications.

♦ Chapter 8: E-mail Security. Because we all use e-mail, the information security knowledge covered in this chapter is directly applicable to users, IT profes­sionals, and security personnel. Chapter 8 explains the different types of e-mail, including SMTP, POP3, and IMAP The authors describe how to prop­erly configure e-mail systems, and how to handle security problems associ­ated with those types.

♦ Chapter 9: Domain Name System. This chapter describes the concepts behind the Domain Name System (DNS), Master and Slave Name servers, and the design of Domain Name Systems, including split DNS and split-split DNS. The authors then describe how to set up different types of DNS servers and discuss recursion and zone transfers.

♦ Chapter 10: Server Security. Another key knowledge component of network security is understanding the different types of servers and their associated applications. Chapter 10 describes the general principles to be observed when putting a server on line and then specifically presents valuable com­mentary on FTP servers, instant messaging, NetBIOS file sharing, secure shell, Kazaa, and remote access of computer-based information.

Part III: Network Security Fundamentals

This part describes the various network protocols, particularly the specifics of the OSI and TCP models. The fundamental concepts of wireless communication and wireless security are explained, including coding schemes, the different wireless technology generations, and wireless vulnerabilities. The authors then provide detailed recommendations and guidance for securing networks along with descrip­tions of the components of network architectures.

♦ Chapter 11: Network Protocols. This chapter explains in detail the OSI and TCP models and the IP, ICMP, TCP, and UDP protocols. It also reviews address resolution concepts and methods and relates them to the general goals of net­work security.♦ Chapter 12: Wireless Security. Wireless connections to the Internet are becoming extremely popular and this chapter covers topics including the wireless frequency spectrum, fundamentals of wireless transmission, the dif­ferent coding schemes and generations of wireless technology, and security issues associated with wireless applications.

♦ Chapter 13: Network Architecture Fundamentals. The components of a net­work and their corresponding configurations for implementing security are critical factors in the protection information systems. Chapter 14 provides clear descriptions and explanations of network bridges, routers, switches, firewalls, gateways, guards, and other important network elements. Their functions and relationship to the overall security of a network are reviewed and guidelines for their application are provided.

Part IV: Communications

Part IV of this book reveals the best practices and approaches related to communi­cations security.

♦ Chapter 14: Secret Communication. Secret communication involves the means to encrypt and decrypt messages as well as to authenticate the sender. Chapter 14 provides a history of cryptography, reviews the fundamentals of symmetric and asymmetric encryption, explains digital signatures, and con­cludes with an overview of generally accepted cryptographic axioms.

♦ Chapter 15: Covert Communication. Covert communication refers to commu­nication that conceals the fact that hidden information is being transmitted. In secret communication, described in Chapter 14, an attacker is aware that sensitive information is being transmitted in scrambled form. The problem for the attacker is to retrieve the information by unscrambling or decrypting it. In covert communication, sensitive information might be hidden some­where in an image or in a microdot that appears as a period at the end of a sentence. Thus, an attacker does not know that information is hidden unless he or she checks everything that is being transmitted for concealed messages. This type of covert communication is known as steganography. Chapter 15 describes the goals of steganography, its advantages and disadvantages, methods of embedding sensitive information in other components such as images, and tools for detecting hidden information.

♦ Chapter 16: Applications of Secure/Covert Communication. Chapter 16 details the methods of achieving secure and covert communication. The top­ics addressed include e-mail security, implementing virtual private networks (VPNs), and applying different protocols to protect information transmitted over the Internet. The chapter also addresses digital certificates to “certify” individuals’ public keys and methods of managing cryptographic keys in an organizational setting.

Part V: The Security Threat and Response

The chapters in this part primarily address the issues of detecting and responding to network intrusions and assuring the security controls that have been put in place actually do provide the expected results. This section and the text conclude with “putting everything together” through detailed descriptions of the most common problems in network security, their solutions, and planning for future situations.

♦ Chapter 17: Intrusion Detection and Response. The network security practi­tioner has to be familiar with and understand the various types and effects of malicious code. Chapter 17 explains these different kinds of malware, dis­cusses common types and sources of attacks, and shows how to detect and handle intrusions into a network and its resources.

♦ Chapter 18: Security Assessments, Testing, and Evaluation. Private and gov­ernmental organizations, by necessity, have to ensure that their networks and information systems are secure from attacks. Both entities have critical and sensitive information that have to be protected from violations of confidential­ity, integrity, and availability. Therefore, these organizations have developed assessment and evaluation approaches that can be applied to determine whether a network is really secure, even after appropriate controls have been implemented. Chapter 18 discusses these methodologies, including the Systems Security Engineering Capability Maturity Model (SSE-CMM), the dif­ferent types of certification and accreditation approaches, the National Institute for Standards and Technology (NIST) information security publica­tions, and the various types of testing and auditing practices.

♦ Chapter 19: Putting Everything Together. At this point in Network Security Bible, the elements that comprise a network, security architectures, security threats, countermeasures, incident handling, and assessment approaches have been covered in detail. Chapter 19 ties all these entities together by describing the top 10 problems of network security, the top 10 solutions to these problems, the top 10 mistakes information security and IT practitioners make, and how to develop a framework for future activities and challenges.
Read Comment To Download This Book