lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 5 Oct 2005 16:04:48 -0400
From: "Lila Buchalski" <lbuchalski@...nsinc.com>
To: "'David Litchfield'" <davidl@...software.com>,
	<bugtraq@...urityfocus.com>
Subject: RE: Some new whitepapers ...



Has anyone written any white papers/articles on banking information
security? 

I would be interested in publishing quality white papers/articles that
had to do with any of the following:

-Core banking application security
-Identity theft
-VoIP security
-Compliance to information security regulations
-Other banking and information security related security topics. 

Let me know if you have any questions. 

Thanks, 
Lila B. 

Lila Buchalski
Editor
http://www.Bankinfosecurity.com
 

-----Original Message-----
From: David Litchfield [mailto:davidl@...software.com] 
Sent: Wednesday, October 05, 2005 8:20 AM
To: bugtraq@...urityfocus.com
Subject: Some new whitepapers ...

Hey all,

I've written two papers available from here 
http://www.ngssoftware.com/papers.htm

The first deals with buffer _underruns_ , DEP and Address Space Layout 
Randomization on Windows. During the paper's review process I was
pointed to 
http://www.phrack.org/show.php?p=58 which deals with the same conceptual

issues to defeat PaX on Linux but, as my paper was completed, I thought
I 
may as well still go ahead and release it. Besides mine discusses buffer

underruns, too :)

The second paper talks about using inference as a means of drilling for
data 
with SQL injection and it is based upon a talk I presented at Blackhat 
Europe earlier on in the year. I divide SQL injection data theft attacks

into three classes - inband, out-of-band and inference. The first,
in-band, 
uses the existing connection to get data out; the second, out-of-band,
uses 
another channel, e.g. smtp by using builtin database mail functions; and

lastly inference. With inference there is no actual transfer of data - 
rather it can be inferred what the data is by making observations about 
differences in the way an application behaves.

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/

-- 
Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.7/112 - Release Date:
9/26/2005

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ