Format String Attacks
These slides show a picture of what's happening on the stack during such an attack.
Read the Article
|
Improving the Security of Your Site by Breaking Into it
*The early '90s perspective* "In this paper we will take an unusual approach to system security. Instead of merely saying that something is a problem, we will look through the eyes of a potential intruder, and show why it is one..."
Read the Article
|
The easiest way to get around SSL
This paper explains how it is often possible, with the simple substitution of a string, to get around a "secure" implementation based on an incorrect use of SSL. Please note that this document does not contain any information about weaknesses of the SSL protocol; it simply shows the easiest way to get around the correct functioning of the SSL protocol. In this document typical "weakly secure" implementation based on the SSL protocol are illustrated. A simple test application is also proposed to check if existing implementations are indeed "weakly secure".
Read the Article
|
Known Attacks Against Smartcards
This document analyzes, from a technical point of view, currently known attacks against smart card implementations. The purpose of this analysis is to give the necessary background for the assessment of the mechanisms that can enhance the security of smart cards. This document is mainly intended for people who are considering the use of cryptographic modules and who need to compare several options with respect to their security.
Read the Article
|
The Flat Footed Hacker
You have a firewall protecting your resources from the Internet. You operate a proxy server for your users to access the Internet without them having to directly touch the Internet. You are diligent with the latest system patches. Even through your efforts, are you still leaking too much information out to the bad guys?
Read the Article
|
Corporate LAN Intranet Server Compromise
I plan to compromise the Intranet server on our corporate LAN and install an illicit application of some sort. I do not want to use my normal user account or my normal system to hack into the server. Disclaimer for myself: I am the administrator of my company's Intranet server. I have performed the tasked outlined below with the full knowledge of my managers and co-workers, and the blessing of the Audit and Data Security departments. Along those same lines, the names of the people, domains, and systems involved have been changed, as well as the IP addresses (to protect the innocent and the not-so-innocent).
Read the Article
|
Routine External and Internal Hacking, An Important Part of Information Assurance
One of asop's many fables was "The Hare and the Tortoise". In it, the Tortoise challenged the Hare to a race and the Hare, believing her assertion to be simply impossible, assented to the proposal; and they agreed that the Fox should choose the course and fix the goal. On the day appointed for the race the two started together. The Tortoise never for a moment stopped, but went on with a slow but steady pace straight to the end of the course. The Hare, lying down by the wayside, fell fast asleep. At last waking up, and moving as fast as he could, he saw the Tortoise had reached the goal, and was comfortably dozing after her fatigue. The moral of the story was that "Slow but steady wins the race."
Read the Article
|
Anti-Hacking: The Protection of Computers
In the Computer Security industry, there are many solutions available to help combat cyber crime. Firewalls and Intrusion Detection systems are in place across the Internet to help protect more networks than ever before. Teams at software corporations work diligently on creating patches for known vulnerabilities, yet everyday the number of computers that are compromised increases. It seems like almost every week a big Internet or software company has a security incident, so what does this say about the Computer Security industry? Even with the software available to defend the networks of companies, it takes more than that. The education of the security administrators is the key to using those software packages correctly.
Read the Article
|
Red Teaming: The Art of Ethical Hacking
Red Teaming is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access. This process is also called "ethical hacking" since its ultimate purpose is to enhance security. Ethical hacking is an "art" in the sense that the "artist" must possess the skills and knowledge of a potential attacker (to imitate an attack) and the resources with which to mitigate the vulnerabilities used by attackers. Although this paper discusses the methodology and tools used to perform Red Teaming, its purpose is to discusses the overall role of Red Teaming in evaluating a system's/network's security posture. The paper does not intend to be a "how-to" guide to Red Teaming, rather it justifies the need for such methods to provide an accurate situational awareness for network/system security.
Read the Article
|
The Art of Reconnaissance - Simple Techniques.
In the text that follows we shall concentrate on reconnaissance with a motive i.e. trying to attack a particular target say victim organization. Victim organization is in India and all the information available with us is a domain name victim.co.in (as we go along we will confirm if this really belongs to the victim organization). With this knowledge how do we launch an attack against the victim organization?
Read the Article
|
