Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

New Whitepaper: Anti Brute Force Resource Metering

from [Gunter Ollmann (NGS)] Network Security [Permanent Link]
Subject: New Whitepaper: Anti Brute Force Resource Metering
Date: Mon, 21 Mar 2005 18:53:42 -0000 
Hi List,

It's been a couple of months since my last whitepaper, so time for a new
one.  This new whitepaper focuses upon a method known as "resource metering"
to actively restrict (and possibly prevent) many brute force guessing attack
vectors that target custom web authentication processes.

The paper is now available from the NGS website:
http://www.ngssoftware.com/papers/NISR-AntiBruteForceResourceMetering.pdf

As always, I'm happy to discuss the topic further and would value
discussions about the techniques talked about in the paper.

Abstract:     
"Web-based applications authentication processes are frequently vulnerable
to automated brute force guessing attacks.  Whilst commonly proposed
solutions make use of escalating time delays and minimum lockout threshold
strategies, these tend to prove ineffectual in real attacks and may actually
promote additional attack vectors.           

Resource metering through client-side computationally intensive "electronic
payments" can provide an alternative strategy in defending against brute
force guessing attacks.  This whitepaper discusses how such a solution works
and the security advantages it can bring."


Cheers,

Gunter Ollmann

------------------------------------------------------
G u n t e r   O l l m a n n,            MSc(Hons), BSc
Professional Services Director                        
                                                      
Next  Generation  Security  Software  Ltd.            
First Floor, 52 Throwley Way  Tel: +44 (0)208 401 0089
Sutton, Surrey, SM1 4BF, UK   Mob: +44 (0)7710 496 714
http://www.nextgenss.com      Fax: +44 (0)208 401 0076
------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  phpMyFamily 1.4.0 SQL vulnerabilities, kre0n
Next by Date:  Re: [VulnWatch] Details of Sybase ASE bugs withheld, Halvar Flake
Previous by Thread:  [VulnWatch] Details of Sybase ASE bugs withheld, NGSSoftware Insight Security Research
Next by Thread:  Re: New Whitepaper: Anti Brute Force Resource Metering, Amit Klein (AKsecurity)
Indexes:  [Date] [Thread] [Top] [All Lists]