lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 21 Mar 2005 18:53:42 -0000
From: "Gunter Ollmann (NGS)" <gunter@...software.com>
To: <bugtraq@...urityfocus.com>
Subject: New Whitepaper: Anti Brute Force Resource Metering


Hi List,

It's been a couple of months since my last whitepaper, so time for a new
one.  This new whitepaper focuses upon a method known as "resource metering"
to actively restrict (and possibly prevent) many brute force guessing attack
vectors that target custom web authentication processes.

The paper is now available from the NGS website:
http://www.ngssoftware.com/papers/NISR-AntiBruteForceResourceMetering.pdf

As always, I'm happy to discuss the topic further and would value
discussions about the techniques talked about in the paper.

Abstract:     
"Web-based applications authentication processes are frequently vulnerable
to automated brute force guessing attacks.  Whilst commonly proposed
solutions make use of escalating time delays and minimum lockout threshold
strategies, these tend to prove ineffectual in real attacks and may actually
promote additional attack vectors.           

Resource metering through client-side computationally intensive "electronic
payments" can provide an alternative strategy in defending against brute
force guessing attacks.  This whitepaper discusses how such a solution works
and the security advantages it can bring."


Cheers,

Gunter Ollmann

------------------------------------------------------
G u n t e r   O l l m a n n,            MSc(Hons), BSc
Professional Services Director                        
                                                      
Next  Generation  Security  Software  Ltd.            
First Floor, 52 Throwley Way  Tel: +44 (0)208 401 0089
Sutton, Surrey, SM1 4BF, UK   Mob: +44 (0)7710 496 714
http://www.nextgenss.com      Fax: +44 (0)208 401 0076
------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ