Keywords:
Astract: Current research on historical project data is rarely touching on the subject of security related information. Learning how security is treated in projects and which parts of a software are historically security relevant or prone to security changes can enhance the security strategy of a software project. We present a mining methodology for security related changes by modifying an existing method of software repository analysis. We use the gathered security changes to find out more about the nature of security in the FreeBSD project and we try to establish a link between the identified security changes and a tracker for security issues (security advisories). We give insights how security is presented in the FreeBSD project and show how the mined data and known security problems are connected.

Keywords: Anonymization, Pseudonymization, Research and Teaching, l-Diversity, Diversity, k-Anonymity, Data Privacy, Security
Astract: Personal Data, concerning unique individuals, requires accurate treatment ever since. To avoid the disclosure of these unique individuals through the exploit of personal data during electronic ex- change, certain steps can be taken, including anonymization- and pseudonymization-techniques. In the first instance we focus on the comparison of current anonymization- and pseudonymization- techniques and then continue with the proposal for a verifying-component which is going to be rea- lized within the scope of a case-study at the Technical University of Vienna. Purpose of the compo- nent is the delivery of a decision-base for the peer-to-peer exchange of medical data so no unique individuals can be identified during the exploit of this data. Therefore the component assures a cer- tain standard of pseudonymity for the medical data in regards of diversity and anonymity. Finally a proposal for the verifying-component is made in the last section of this scientific work. Re- search showed that current anonymization and pseudonymization methods are insufficient in terms of security and attacks on them, so that a maximum level of security cannot be guaranteed at this point of time.

Keywords:
Astract: The paper discusses foundations and requirements for testing security robustness aspects in operational environments while adhering to defined protection values for data. It defines the problem space and special characteristics of security testing in large IT infrastructures. In this area there are different environments with varying characteristics, e.g., regarding confidentiality of data. Common environments based on an existing IT project are defined. Testing in dedicated test environments is state of the art, however, sometimes this is not sufficient and testing in operational environments is required. Case studies showed many restrictions in the security test process, e.g., limited access for testers, which have to be addressed. The problems of testing in these operational environments are pointed out. Experiences and some current solution approaches for testing these special environments are shown (e.g., usage of disaster/recovery mechanism).

Keywords: Internet, Security, DDoS, Distributed Denial of Service
Astract: Distributed Denial of Service attacks are the major threat for public web services today. The DDoS attack traffic uses the same protocols and usage patterns as a legitimate user. Therefore attack traffic and user traffic can hardly be distinguished. In this document the possible attack methods are derived from the used protocols (IP, TCP, HTTP) and the impact of these attacks to the service area is demonstrated.
Refering to the attack methods, possible defence mechanisms are listed.
The source of these mechanisms are practical solutions, research projects, and commercial vendors. Beside that, new defence methods were designed, implemented and described in this document. Some of these techniques can be combined to comprehensive defence systems, which help to protect against arbitrary DDoS attacks.

Keywords:
Astract: Die Abhängigkeit von IT-Systemen für Unternehmenszwecke nimmt laufend zu. Angriffe auf diese können die Anforderungen bezüglich Verfügbarkeit, Vertraulichkeit und Integrität der Daten stören und somit für das Unternehmen Verluste verursachen. Die Systeme müssen dabei derart abgesichert werden, dass der Aufwand für einen Angreifer höher ist als der entstehende Nutzen durch einen erfolgreichen Angriff.
Die vorliegende Arbeit beschäftigt sich mit Penetrationstests, einer möglichen Testtechnik zur Überprüfung der Sicherheit von Infrastrukturen. Dabei führen Tester simulierte Angriffe durch, um vorhandene Schwachstellen im System zu ermitteln und die Ausnutzbarkeit darzustellen. Die Anwendung von Penetrationstests erfolgt beim laufenden System, wodurch auch Installations- und Konfigurationsfehler in der Betriebsumgebung ermittelt werden. Für eine umfangreiche Sicherheitsbetrachtung können Penetrationstests einen wichtigen Teil beitragen, um die Systeme abzusichern. Die Möglichkeiten und Limitierungen von Penetrationstests werden in dieser Arbeit anhand eines Anwendungsbeispiels dargestellt, indem ein Penetrationstestkonzept definiert wird. Dieses berücksichtigt erforderliche Testtechniken für die eingesetzten Technologien und diskutiert des Weiteren organisatorische Aspekte für die Durchführung.