Foundations of security: What every programmer needs to know

Foundations of Security: What Every Programmer Needs to Know

Volumn , Issue , 2007, Pages 1-290

  Daswani, Neil ^a   Kern, Christoph ^a   Kesavan, Anita ^a  

^a NONE

Author keywords

[No Author keywords available]

Indexed keywords

EID: 84889956367     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.1007/978-1-4302-0377-3     Document Type: Book

References (152)

1. Abelson, Harold, Ross Anderson, Steven Bellovin, Josh Benaloh, Matt Blaze, Whitfield Die, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, and Bruce Schneier. 1998. The risks of key recovery, key escrow, and trusted third party encryption. Center for Democracy and Technology. www.cdt.org/crypto/risks98.
2. Anderson, Kevin. 2001. White House website attacked. BBC News Online, May 5. http://news.bbc.co.uk/1/hi/world/americas/1313753.stm.
3. Anley, Chris. 2002. Advanced SQL injection in SQL Server applications. Next Generation Security Software, www.ngssoftware.com/papers/advanced-sql- injection.pdf.
4. Balenson, David M., Carl M. Ellison, Steven B. Lipner, and Steven T. Walker. 1994. A new approach to software key escrow encryption. In Building in big brother: The cryptographic policy debate, 180-207. New York: Springer-Verlag.
5. Bellare, Mihir, and Shafi Goldwasser. Verifiable partial key escrow. 1997. In Proceedings of the 4th ACM Conference on Computer and Communications Security, 78-91. New York: ACM Press.
6. Bellovin, Steven M. 1999. Distributed firewalls. Special issue on security, login:, November. www.usenix.org/publications/login/1999-11/features/ firewalls.html.
7. Berners-Lee, Tim, and Dan Connolly. 1995. Hypertext Markup Language - 2.0. RFC 1866 (historic; obsoleted by RFC 2854), November. www.ietf.org/rfc/ rfc1866.txt.
8. Berners-Lee, Tim, Roy Fielding, and Larry Masinter. 2005. Uniform resource identifier (URI): Generic syntax. RFC 3986 (standard), January. www.ietf.org/rfc/rfc3986.txt.
9. Berners-Lee, Tim, Roy T. Fielding, and Henrik Frystyk Nielsen. 1996. Hypertext Transfer Protocol - HTTP/1.0. RFC 1945, May. www.w3.org/Protocols/ rfc1945/rfc1945.
10. Bishop, Matt. 1995. A standard audit trail format. In Proceedings of the 18th National Information Systems Security Conference, 136-145.
11. Bishop, Matt, Christopher Wee, and Jeremy Frank. 1996. Goal-oriented auditing and logging. Submitted to IEEE Transactions on Computing Systems.
12. Blaze, Matt. Oblivious key escrow. 2002. In Information Hiding: First International Workshop, Cambridge, U.K., May 30-June 1, 1996, Proceedings (LNCS 1174), 335-343. Berlin: SpringerVerlag.
13. Boneh, Dan. 1999. Twenty years of attacks on the RSA cryptosystem. Notices of the AMS 46 (2): 203-213.
14. Bos, Bert, Hakon Wium Lie, Chris Lilley, and Ian Jacobs. 1998. Cascading Style Sheets, level 2 (CSS2 specification). W3C recommendation, May 12. www.w3.org/TR/REC-CSS2.
15. Brooks, Frederick P. 1995. The mythical man-month: Essays on software engineering. New York: Addison-Wesley
16. Bulba and Killar. 2000. Bypassing StackGuard and Stack-Shield. Phrack Magazine 56 (5). www.phrack.org/archives/56/p56-0x05.
17. Burns, Jesse. 2005. Cross site reference forgery. Information Security Partners, www.isecpartners.com/files/XSRF-Paper-0.pdf.
18. Castro, Miguel, and Barbara Liskov. 1999a. Authenticated Byzantine fault tolerance without public-key cryptography. Technical Memo MIT/LCS/TM-589, MIT Laboratory for Computer Science, June. www.pmg.lcs.mit.edu/~castro/tm589.pdf.
19. -. 1999b. Practical Byzantine fault tolerance. In Proceedings of the Third USENIX Symposium on Operating Systems Design and Implementation, June, 173-186. www.pmg.lcs.mit.edu/~castro/tm589.pdf.
20. CERT 2002. CERT Advisory CA-2001-19 "Code Red" worm exploiting buffer overflow in IIS indexing service DLL. CERT Coordination Center, January 17, www.cert.org/advisories/ CA-2001-19.html.
21. Chambers, A D. 1981. Current strategies for computer auditing within an organisation. Computer Journal 24 (4): 290-294.
22. Cheswick, William R., and Steven M. Bellovin. 1994. Firewalls and Internet security: Repelling the wily hacker. New York: Addison-Wesley
23. CNN/Money 2005. Bank security breach may be biggest yet. CNNMoney.com, May 23. http://money.cnn.com/2005/05/23/news/fortune500/bank-info.
24. Coffey, Tom, and Puneet Saidha. 1996. Non-repudiation with mandatory proof of receipt. ACM SIGCOMM Computer Communication Review 26 (1): 6-17.
25. Daswani, Neil, and Dan Boneh. 1999. Experimenting with electronic commerce on the PalmPilot. In Financial Cryptography: Third International Conference, FC '99, Anguilla, British West Indies, February 1999, Proceedings (LNCS 1648), ed. Matthew K. Franklin, 1-16. Berlin: Springer-Verlag.
26. Davies, Donald W. 1983. Applying the RSA digital signature to electronic mail. IEEE Computer 16 (2): 55-62.
27. -. 1990. Quality auditing: The necessary step towards the required quality objectives. In Advanced Information Systems Engineering: Second Nordic Conference CAiSE '90, Stockholm, Sweden, May 1990, Proceedings (LNCS 436), ed. Bo Steinholtz, Arne Solvberg, and Lars Bergman, 286. Berlin: Springer-Verlag.
28. Davies, Donald W., and Wyn L. Price. 1980. The application of digital signatures based on public-key cryptosystems. In Proceedings of the Fifth International Computer Communications Conference, 525-530.
29. -. 1984. Digital signatures - an update. In International Conference on Computer Security, 845-849.
30. Debar, Herve, Marc Dacier, and Andreas Wespi. 1999. Towards a taxonomy of intrusiondetection systems. Computer Networks 31 (8): 805-822.
31. Denning, Dorothy E. 1986. An intrusion-detection model. In Proceedings of the 1986 IEEE Computer Society Symposium on Research in Security and Privacy, 118-131.
32. -. 1995. Critical factors of key escrow encryption systems. In Proceedings of the 18th National Information Systems Security Conference, 384-394.
33. Denning, Dorothy E., and Dennis K. Branstad. 1996. A taxonomy for key escrow encryption systems. Communications of the ACM 39 (3): 34-40.
34. Dennis, Sylvia, and Steve Gold. 1999. White House web site hacked by anti NATO hactivists? Newsbytes, March 30. wwwfindarticles.com/p/articles/mi-m0HDN/ is-1999-March-30/ai-54275915.
35. Dierks, Tim, and Eric Rescorla. 2006. The Transport Layer Security (TLS) Protocol, version 1.1. RFC 4346, April. www.ietf.org/rfc/rfc4346.txt.
36. Dolev, Danny, Michael J. Fischer, Rob Fowler, Nancy A Lynch, and H. Raymond Strong. 1982. An efficient algorithm for Byzantine agreement without authentication. Information and Control 52 (3): 257-274.
37. Engler, Dawson, Benjamin Chelf, Andy Chou, and Seth Hallem. 2000. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the Fourth USENIX Symposium on Operating System Design and Implementation. www.usenix.org/events/osdi2000/engler/engler.ps.
38. Evers, Joris. 2005. Key bugs in core Linux code squashed. CNET News, August 3. http://news.com.com/Key+bugs+in+core+Linux+code+squashed/2100-1002-3- 5817471.html.
39. Feldman, Paul, and Silvio Micali. 1988. Optimal algorithms for Byzantine agreement. In Proceedings of the 20th Annual ACM Symposium on Theory of Computing, 148-161. New York: ACM Press.
40. Fielding, Roy T., James Gettys, Jeffrey C. Mogul, Henrik Frystyk Nielsen, Larry Masinter, Paul J. Leach, and Tim Berners-Lee. 1999. Hypertext Transfer Protocol - HTTP/1.1. RFC 2616 (draft standard; updated by RFC 2817), June. www.ietf.org/rfc/rfc2616.txt?number=2616.
41. Fluhrer, Scott, Itsik Mantin, and Adi Shamir. 2001. Weaknesses in the key scheduling algorithm of RC4. Eighth Annual Workshop on Selected Areas in Cryptography. www.springerlink.com/index/W7FB0V5Q582HXYRL.pdf.
42. Franks, John, Phillip Hallam-Baker, Jeffrey Hostetler, Scott D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart. 1999a. HTTP authentication: Basic and digest access authentication. RFC 2617 (draft standard), June. http://www.ietf.org/rfc/rfc2617.txt.
43. -. 1999b. HTTP authentication: Basic and digest access authentication. Internet RFC 2617, June. www.ietf.org/rfc/rfc2617.txt.
44. Freed, Ned, and Nathaniel S. Borenstein. 1996. Multipurpose Internet Mail Extensions (MIME) part one: Format of Internet message bodies. RFC 2045 (draft standard; updated by RFCs 2184 and 2231), November.
45. Galil, Zvi, Alain J. Mayer, and Moti Yung. 1995. Resolving message complexity of Byzantine agreement and beyond. In Proceedings of the 36th Annual Symposium on Foundations of Computer Science, 724-733. Oakland, CA IEEE Computer Society Press.
46. Garay, Juan A., and Yoram Moses. 1993. Fully polynomial Byzantine agreement in t +1 rounds. In Proceedings of the 25th Annual ACM Symposium on Theory of Computing, 31-41. New York: ACM Press.
47. Garcia-Molina, Hector, Frank Pitelli, and Susan B. Davidson. March 1986. Applications of Byzantine agreement in database systems. ACM Transactions on Database Systems 11 (1): 27-47.
48. Garrett, Jesse James. 2005. Ajax: A new approach to web applications. Adaptive Path, February 18 www.adaptivepath.com/publications/essays/archives/ 000385.php.
49. Gonzalez, Guadalupe. 2000. Statement for the record of Guadalupe Gonzalez, Special Agent in Charge, Phoenix Field Division, Federal Bureau of Investigation, on cybercrime, before a special field hearing Senate Committee on Judiciary Subcommittee on Technology, Terrorism, and Government Information, April 21. www.milnet.com/infowar/gonza042100.htm.
50. Gordon, John. 1984. The story of Alice and Bob. Extract from a speech given at the Zurich Seminar, Zurich, Switzerland, April. www.conceptlabs.co.uk/ alicebob.html.
51. Gray, Jim. 1990. A comparison of the Byzantine agreement problem and the transaction commit problem. In Fault-Tolerant Distributed Computing (LNCS 448), ed. Barbara Simons and Alfred Spector, 10-17. Berlin: Springer-Verlag.
52. Gunter, Carl A., and Trevor Jim. 2000. Generalized certificate revocation. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 316-329. New York: ACM Press.
53. Gutterman, Zvi, and Dahlia Malkhi. 2005. Hold your sessions: An attack on Java session-ID generation. In Topics in Cryptography - CT-RSA 2005: The Cryptographers' Track at the RSA Conference 2005, San Francisco, California, USA, February 14-18, 2005, Proceedings (LNCS 3376), 44-57. Berlin: Springer-Verlag.
54. Hansen, James V 1983. Audit considerations in distributed processing systems. Communications of the ACM 26 (8): 562-569.
55. Hines, Matt. 2005. ChoicePoint data theft widens to 145, 000 people. CNET News, February 18. http://news.com.com/ ChoicePoint+data+theft+widens+to+145%2C000+people/2100-1029-3-5582144.html.
56. Homer, Alex, and Dave Sussman. 2003. Distributed data applications with ASP.NET, second edition. Berkeley, CA Apress.
57. Housley, Russell, Tim Polk, Warwick Ford, and David Solo. 2002. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 3280, April. www.ietf.org/rfc/rfc3280.txt.
58. Howard, Michael. 2002. Strsafe.h: Safer string handling in C. Microsoft, June. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/ html/strsafe.asp.
59. Iwata, Tetsu. 2003. Comparison of CBC MAC variants and comments on NIST's consultation paper. CSRC, May 5. http://csrc.nist.gov/CryptoToolkit/modes/ comments/800-38-Series-Drafts/RMAC/Iwata-comments.pdf
60. Jajodia, Sushil, Shashi K. Gadia, Gautam Bhargava, and Edgar H. Sibley. 1989. Audit trail organization in relational databases. DBSec 1989: 269-281.
61. Jakobsson, Markus, Helga Lipmaa, and Wenbo Mao. 2007. Cryptographic protocols: Techniques for secure protocol design. Upper Saddle River, NJ: Prentice Hall.
62. Jorelid, Lennart. 2001. J2EE FrontEnd technologies: A programmer's guide to servlets, JavaServer Pages, and Enterprise JavaBeans. Berkeley, CA Apress.
63. Kelsey John, and Bruce Schneier. 1999. Secure audit logs to support computer forensics. ACM Transactions on Information and System Security 2 (2): 159-176.
64. Kilian, Joseph, and Tom Leighton. 1995. Failsafe key escrow. In Advances in Cryptology - CRYPTO '95:15th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1995, Proceedings (LNCS 963), ed. Don Coppersmith, 208-221. Berlin: Springer-Verlag.
65. Knudsen, Lars R., and Torben P. Pedersen. 1996. The difficulty of software key escrow. In Advances in Cryptology - EUROCRYPT '96: International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12-16, 1996, Proceedings (LNCS 1070), ed. Ueli Maurer, 237-244. Berlin: Springer-Verlag.
66. Kocher, Paul. 1998. On certificate revocation and validation. In Financial Cryptography: Second International Conference, FC '98, Anguilla, British West Indies, February 1998, Proceedings (LNCS 1465), ed. Rafael Hirschfeld, 172-177. Berlin: Springer-Verlag.
67. Kopetz, Hermann. 1996. Temporal firewalls. Presented at DeVa 1st Selective Open Workshop, Schloss Reisensburg, Germany.
68. Kovar, Matthew. 2000. $1.2 billion impact seen as a result of recent attacks launched by internet hackers. The Yankee Group, Research Notes, February.
69. Kristol, David M., and Lou Montulli. 2000. HTTP state management mechanism. RFC 2965 (proposed standard), October. www.ietf.org/rfc/rfc2965.txt.
70. Kumar, Sandeep. 1995. Classification and detection of computer intrusions. PhD thesis, Purdue University.
71. Lamport, Leslie. 1983. The weak Byzantine generals problem. Journal of the ACM 30 (3): 668-676.
72. Lamport, Leslie, and Michael J. Fischer. 1982. Byzantine generals and transactions commit protocols. SRI International, Technical Report Opus 62, April.
73. Lamport, Leslie, Robert Shostak, and Marshall Pease. 1982. The Byzantine generals problem. ACM Transactions on Programming Languages and Systems 4 (3), 382-401.
74. Le Hors, Arnaud, Philippe Le Hégaret, Lauren Wood, Gavin Nicol, Jonathan Robie, Mike Champion, and Steve Byrne. 2000. Document Object Model (DOM) level 2 core specification. W3C recommendation, November 13. www.w3.org/TR/DOM-Level-2-Core.
75. Lee, Wenke, and Salvatore Stolfo. 1998. Data mining approaches for intrusion detection. In Proceedings of the Seventh USENIX Security Symposium, January.
76. Lee, Wenke, Salvatore Stolfo, and Phil Chan. 1997. Learning patterns from Unix process execution traces for intrusion detection. In Proceedings of the AAAI97 Workshop on AI Methods in Fraud and Risk Management.
77. Lee, Wenke, Salvatore J. Stolfo, and Kui W Mok. 1998. Mining audit data to build intrusion detection models. In Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining, ed. Usama M. Fayyad and Ramasamy Uthurusamy, 66-72. Menlo Park, CA: AAAI Press.
78. -. 2000. Adaptive intrusion detection: A data mining approach. Artificial Intelligence Review 14 (6): 533-567.
79. Lemos, Robert. 2004. Security research suggests Linux has fewer flaws. CNET News, December 13 http://news.com.com/ Security+research+suggests+Linux+has+fewer+flaws/2100-1002-3-5489804.html.
80. -. 2005. Bank of America loses a million customer records. CNET News, February 25. http://news.com.com/ Bank+of+America+loses+a+million+customer+records/2100-1029-3-5590989.html.
81. Lenstra, Arjen K., Peter Winkler, and Yacov Yacobi. 1995. A key escrow system with warrant bounds. In Advances in Cryptology - CRYPTO '95:15th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1995, Proceedings (LNCS 963), ed. Don Coppersmith, 197-207. Berlin: Springer-Verlag.
82. Long, Johnny. 2004. Google hacking for penetration testers. Rockland, MA Syngress Publishing.
83. Lunt, Teresa F. 1988. Automated audit trail analysis and intrusion detection: A survey. In Proceedings of the 11th National Computer Security Conference, Baltimore, Maryland.
84. -. 1993. A survey of intrusion detection techniques. Computers and Security 12 (4): 405-418.
85. Malkhi, Dahlia, and Michael K. Reiter. 1997. Byzantine quorum systems. In Proceedings of the 29th Annual ACM Symposium on Theory of Computing, 569-578. New York: ACM Press.
86. Maor, Ofer, and Amichai Shulman. 2003. Blind SQL injection. Imperva, September. www.imperva.com/application-defense-center/white-papers/blind-sql- server-injection.html.
87. Markowitch, Olivier, and Steve Kremer. 2001. A multi-party optimistic non-repudiation protocol. In Information Security and Cryptology - ICISC 2000, Third International Conference, Seoul, Korea, December 8-9, 2000, Proceedings (LNCS 2015), ed. Dongho Won, 109-122. Berlin: Springer-Verlag.
88. Markowitch, Olivier, and Yves Roggeman. 1999. Probabilistic non-repudiation without trusted third party. In Second Workshop on Security in Communication Networks.
89. Matyas, Stephen M. 1979. Digital signatures - an overview. Computer Networks: The International Journal of'Distributed Informatique 3 (2): 87-94.
90. McDaniel, Patrick, and Sugih Jamin. 2000. Windowed certificate revocation. INFOCOM (3), 1406-1414.
91. McGraw, Gary. 2004. So you'd like to become... a software security expert, www.amazon.com/exec/obidos/tg/guides/guide-display/-/15Z37MNOO3P3P/ 002-4169922-4092837.
92. McGraw, Gary, and John Viega. 2000. Make your software behave: Learning the basics of buffer overflows. IBM developerWorks, March 1.
93. Merkle, Ralph C. 1990. A certified digital signature. In Advances in Cryptology - CRYPTO '89:9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings (LNCS 435), ed. Gilles Brassard, 218-238. Berlin: Springer-Verlag.
94. Messier, Matt, and John Viega. 2005. Safe C string library v1.0.3. Zork.org, January 30. www.zork.org/safestr.
95. Micali, Silvio. 1996. Efficient certificate revocation. MIT, Technical Report MIT/LCS/TM-542b
96. Mills, David L. 2006. The Network Time Protocol version 4 protocol specification, September. www3.ietf.org/proceedings/05nov/IDs/draft-ietf-ntp- ntpv4-proto-01.txt.
97. Mitchell, C. J., F. Piper, and P. Wild. 1992. Digital signatures. In Contemporary Cryptology: The Science of Information Integrity, ed. Gustavus J. Simmons, 325-378. Piscataway, NJ: WileyIEEE Press.
98. Mockapetris, P.V 1987. Domain names - concepts and facilities. Internet standard RFC 1034 (updated by RFCs 1101, 1183, 1348, 1876, 1982, 2065, 2181, 2308, 2535, 4033, 4034, 4035, 4343, and 4035), November. www.ietf.org/rfc/ rfc1034.txt.
99. Mohan, C, R. Strong, and S. Finkelstein. 1983. Method for distributed transaction commit and recovery using Byzantine agreement within clusters of processors. In Proceedings of the Second Annual ACM Symposium on Principles of Distributed Computing, 89-103. New York: ACM Press.
100. Moore, David, and Colleen Shannon. 2002. Code-Red: A case study on the spread and victims of an Internet worm. In Proceedings of the Second ACM SIGCOMM Workshop on Internet Measurement, 273-284. New York: ACM Press.
101. Moore, David, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. 2003. Inside the Slammer worm. IEEE Security & Privacy 1 (4): 33-39.
102. Morris, Robert T. 1985. A weakness in the 4.2 BSD UNIX TCP/IP software. AT&T Bell Labs, Technical Report 117, February.
103. Morris, Robert, and Ken Thompson. 1979. Password security: A case history. Communications of the ACM 22 (11): 594-597.
104. Mukherjee, Biswanath, L. Todd Heberlein, and Karl N. Levitt. 1994. Network intrusion detection. IEEE Network 8 (3): 26-41.
105. Naor, Moni, and Kobbi Nissim. 1998. Certificate revocation and certificate update. In Proceedings of the 7th USENIX Security Symposium.
106. National Computer Security Center. 1996. Auditing issues in secure database management systems. National Computer Security Center Technical Report - 005, vol. 4/5, May.
107. Nechvatal, James. 1996. A public-key-based key escrow system. Journal of Systems and Software 35 (1): 73-83.
108. Ng, Sam 2006. Advanced topics in SQL injection protection, www.owasp.org/images/7/7d/ Advanced-Topics-on-SQL-Injection-Protection.ppt.
109. Oppliger, Rolf. 1997. Internet security: Firewalls and beyond. Communications of the ACM 40 (5): 92-102.
110. Paul, Souradyuti, and Bart Preneel. 2004. A new weakness in the RC4 keystream generator and an approach to improve the security of the cipher. In Fast Software Encryption: 11th International Workshop, FSE 2004, Delhi, India, February 2004, revised papers (LNCS 3017), 245-259. Berlin: Springer-Verlag.
111. Perlman, Radia. 1998. Network layer protocols with Byzantine robustness. PhD thesis, Department of Electrical Engineering and Computer Science, MIT.
112. Picciotto, Jeffery. 1987. The design of an effective auditing subsystem. In IEEE Symposium on Security and Privacy, 13-22. Oakland, CA: IEEE Computer Society Press.
113. Powell, Thomas, and Fritz Schneider. 2004. JavaScript: The complete reference, second edition. Berkeley, CA: Osborne/McGraw-Hill.
114. Privacy Rights Clearinghouse. 2005. The ChoicePoint data security breach: What it means for you, and how to find out what ChoicePoint knows about you, www.privacyrights.org/ar/CPResponse.htm.
115. Ptacek, Thomas H., and Timothy N. Newsham. 1998. Insertion, evasion, and denial of service: Eluding network intrusion detection. Secure Networks, Technical Report, January.
116. Rabin, Michael O. 1978. Digital signatures. In Foundations of Secure Computation, ed. Richard DeMillo, David Dobkin, Anita Jones, and Richard Lipton, 155-168. New York: Academic Press.
117. -. 1979. Digitalized signatures and public-key functions as intractable as factorization. MIT Technical Report, MIT/LCS/TR-212.
118. Raggett, Dave, Arnaud Le Hors, and Ian Jacobs. 1999. HTML 4.01 specification. W3C recommendation, December 24. www.w3.org/TR/html401.
119. Ranum, Marcus J. 1993. Thinking about firewalls. In Proceedings of the Second International Conference on Systems and Network Security and Management (SANS-II).
120. Rivest, R., A. Shamir, and L. Adelman. 1978. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM21 (2): 120-126.
121. Schneider, Steve. 1998. Formal analysis of a non-repudiation protocol. In PCSFW: Proceedings of the 11th Computer Security Foundations Workshop, 54-65. Oakland, CA IEEE Computer Society Press.
122. Schneier, Bruce. 2000. Crypto-Gram Newsletter, May 15. www.schneier.com/crypto-gram-0005.html.
123. -. 2004. The Witty worm: A new chapter in malware. Computerworld, June 2. http://wwwcomputerworld.com/networkingtopics/networking/story/0,10801,93584,00. html.
124. Schneier, Bruce, and John Kelsey. 1999. Tamperproof audit logs as a forensics tool for intrusion detection systems. Computer Networks and ISDN Systems.
125. Scott, George M. 1977. Auditing large scale data bases. VLDB, 515-522.
126. Seiden, Kenneth F., and Jeffrey P. Melanson. May 1990. The auditing facility for a VMM security kernel. In Proceedings of 1990 IEEE Symposium on Research in Security and Privacy, 262-277.
127. Sekar, R., Y. Guang, S. Verma, and T. Shanbhag. 1999. A high-performance network intrusion detection system. In Proceedings of the 6th ACM Conference on Computer and Communications Security, 8-17. New York: ACM Press.
128. Shamir, Adi. 1995. Partial key escrow: A new approach to software key escrow. Presented at Key Escrow Conference, Washington, DC.
129. Shannon, Colleen, and David Moore. 2004. The spread of the Witty worm. IEEE Security & Privacy 2 (4): 46-50.
130. Sieberg, Daniel and Dana Bush. 2003. Computer worm grounds flights, blocks ATMs. CNN.com, January 26. www.cnn.com/2003/TECH/internet/01/25/internet. attack.
131. Spett, Kevin. 2005. Blind SQL injection. SPI Dynamics, www.spidynamics.com/whitepapers/Blind-SQLInjection.pdf.
132. Stubblefield, Adam, John Ioannidis, and Aviel D. Rubin. 2002. Using the Fluhrer, Mantin, and Shamir attack to break WEP. In Network and Distributed Systems Security Symposium (NDSS).
133. Sullivan, Bob. 2006. ChoicePoint to pay $15 million over data breach. MSNBC, January 26. www.msnbc.msn.com/id/11030692.
134. Taylor, R. 1996. Non-repudiation without public-key In Information Security and Privacy: First Australasian Conference on Information Security and Privacy, Wollongong, NSW, Australia, June 24-26, 1996, Proceedings (LNCS 1172), ed. Josef Pieprzyk and Jennifer Seberry, 27-37. Berlin: Springer-Verlag.
135. Telang, Rahul, and Sunil Wattal. 2005. Impact of software vulnerability announcements on the market value of software vendors: An empirical investigation. In Fourth Workshop on the Economics of Information Security, Kennedy School of Government, Harvard University.
136. Theriault, Marlene L., and Aaron Newman. 2001. Oracle Security Handbook: Implement a Sound Security Plan in Your Oracle Environment. New York: Osborne/McGraw-Hill.
137. Walker, Steven T. 1994. Thoughts on key escrow acceptability. Trusted Information Systems, TIS Report 534D, November.
138. Walker, Stephen T, Steven B. Lipner, Carl M. Ellison, Dennis K. Branstad, and David M. Balenson. 1995. Commercial key escrow: Something for everyone now and for the future. Trusted Information Systems, TIS report 541, January.
139. Wang, Xiaoyun, Yiqun Lisa Yin, and Hongbu Yu. 2005. Finding collisions in the full SHA-1. In Advances in Cryptology - CRYPTO 2005:25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 2005, Proceedings (LNCS 3621), 17-36. Berlin: Springer-Verlag.
140. White, Gregory B., Eric A Fisch, and Udo W Pooch. 1996. Cooperating security managers: Apeer-based intrusion detection system. IEEE Network 10 (1): 20-23.
141. Whitehouse, Ollie, Joe Grand, and Brian Hassick. 2003. Nokia GGSN (IP650 based) DoS issues.@stake Advisory, June 9. http://archives.neohapsis.com/ archives/vulnwatch/2003-q2/0098.html.
142. Whitten, Alma, and J.D Tygar. 1999. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, 9-184.
143. Wilcox, Joe. 2002. Microsoft again pushes back. Net Server. CNET News, March 1. http://news.com.com/2100-1001-848912.html.
144. Wright, Rebecca N., Patrick Lincoln, and Jonathan K. Millen. 2000. Efficient fault-tolerant certificate revocation. In Proceedings of the 7th ACM Conference on Computer and Communications Security, 19-24. New York: ACM Press.
145. Zhang, Yongguang and Wenke Lee. 2000. Intrusion detection in wireless ad-hoc networks. In Proceedings of the 6th International Conference on Mobile Computing and Networking, 275-283. New York: ACM Press.
146. Zhou, Jianying, and Dieter Gollmann. 1996a. A fair non-repudiation protocol. In Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, 55-61. Oakland, CA IEEE Computer Society Press.
147. -. 1996b. Observations on non-repudiation. In Advances in Cryptology - ASIACRYPT '96: International Conference on the Theory and Applications of Cryptology and Information Security, Kyongju, Korea, November 1996, Proceedings (LNCS 1163), ed. Kwangjo Kim and Tsutomu Matsumoto, 133-144. Berlin: Springer-Verlag.
148. -. 1997a. An efficient non-repudiation protocol. In PCSFW: Proceedings of the 10th Computer Security Foundations Workshop. Oakland, CA IEEE Computer Society Press.
149. -. 1997b. Evidence and non-repudiation. Journal of Network and Computer Applications 20 (3).
150. -. 1998. Towards verification of non-repudiation protocols. In International Refinement Workshop and Formal Methods Pacific '98, edited by Jim Grundy, Mart. In Schwenke, and Trevor Vickers, 370-380. Berlin: Springer-Verlag.
151. Zimmermann, Phillip, Alan Johnston (Ed.), and Jon Callas. 2006. ZRTP: Extensions to RTP for Diffie-Hellman key agreement for SRTP. Phil Zimmermann's Home Page, September 6. www.philzimmermann.com/docs/draft-zimmermann-avt-zrtp- 01.html.
152. Zwicky Elizabeth D., Simon Cooper, and D. Brent Chapman. 2000. Building Internet firewalls, second edition. Sebastapol, CA O'Reilly and Associates.