| ||
Reference | Link |
---|---|
Relevant Security Advisories | |
RUS-CERT Advisory 2001-08:01 Vulnerabilities in several Apache authentication modules | http://cert.uni-stuttgart.de/advisories/apache_auth.php |
CardSystems security breach exposes millions of credit cards | http://www.google.com/search?q=cardsystems+security+breach |
Freeware Tools | |
TamperIE | http://www.bayden.com |
Digest::MD5 Perl module by Neil Winton | http://ppm. activestate .com/packages/MD5.ppd |
MDcrack by Gregory Duchemin | http://membres.lycos.fr/mdcrack/nsindex2.html |
NTLM Authentication Proxy Server (APS) | http://www.geocities.com/rozmanov/ntlm/ |
WebCracker | http://online.securityfocus.com/tools/706 |
Brutus AET2 | http://www.hoobie.net/brutus/index.html |
Hydra | http://www.thc.org |
CAPTCHA Links | |
The CAPTCHA Project (covers Gimpy, Bongo, Pix, and Sounds) | http://www.captcha.net/ |
PWNtcha, a CAPTCHA decoder | http://sam.zoy.org/pwntcha/ |
Microsoft Passport References | |
Microsoft Passport homepage | http://www.passport.com |
"Risks of the Passport Single Signon Protocol" | http://avirubin.com/passport.html |
Chris Shiflett's "Passport Hacking" | http://www.k2labs.org/chris/articles/passport/ |
Mark Slemko's "Passport to Trouble" | http:// alive .znep.com/~marcs/passport/ |
FTC Consent Decree with Microsoft Passport | http://www.ftc.gov/os/2002/08/microsoftagree.pdf |
Passport emailpwdreset vulnerability | http://www.securityfocus.com/archive/1/320806 |
Liberty Alliance Project | http://www.projectliberty.org |
Strong Authentication Technologies | |
PassMark Security, Inc. | http://www.passmarksecurity.com |
Bank of America PassMark implementation called SiteKey | http://www.bankofamerica.com/privacy/passmark |
PassMark/SiteKey weaknesses discussed | http://mailchannels. blogspot .com/2005/07/passmark-sitekey-system-vulnerable-to.html |
One-time Password specifications | http://www.rsasecurity.com/rsalabs/node.asp?id=2816 |
RSA's SecureID OTP implementation | http://www.rsasecurity.com |
RSA Security press release on E*Trade Secure ID implementation | http://www.rsasecurity.com/press_release.asp?doc_id=5567 |
"Two-Factor Authentication: Too Little, Too Late," by Bruce Schneier, critiques OTP and other 2-factor systems | http://www.schneier.com/ essay -083.html |
General References | |
The World Wide Web Security FAQ Section 5, "Protecting Confidential Documents at Your Site" | http://www.w3.org/Security/Faq/wwwsf5.html |
RFC 2617, "HTTP Authentication: Basic and Digest Access Authentication" | ftp://ftp.isi.edu/in-notes/rfc2617.txt |
RFC 2478, SPNEGO | http://www.ietf.org/rfc/rfc2478.txt?number=2478 |
IIS Authentication | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconIISAuthentication.asp |
"Setting Up Digest Authentication for Use with Internet Information Services 5.0" (Q222028) | http://support.microsoft.com/default.aspx?scid=kb;EN-US;q222028 |
"NTLM Authentication Scheme for HTTP" by Ronald Tschalr | http://www.innovation.ch/java/ntlm.html |
"How to Disable LM Authentication on Windows NT" (Q147706) | http://support.microsoft.com/?kbid=147706 |
"Using Forms Authentication in ASP.NET" | http://www.15seconds.com/issue/020220.htm |
"Session ID Brute Force Exploitation" by David Endler | http://www.idefense.com/idpapers/SessionIDs.pdf |
| ||