References And Further Reading
| | ||
| Reference | Link |
|---|---|
| Relevant Security Advisories | |
| RUS-CERT Advisory 2001-08:01 Vulnerabilities in several Apache authentication modules | http://cert.uni-stuttgart.de/advisories/apache_auth.php |
| CardSystems security breach exposes millions of credit cards | http://www.google.com/search?q=cardsystems+security+breach |
| Freeware Tools | |
| TamperIE | http://www.bayden.com |
| Digest::MD5 Perl module by Neil Winton | http://ppm. activestate .com/packages/MD5.ppd |
| MDcrack by Gregory Duchemin | http://membres.lycos.fr/mdcrack/nsindex2.html |
| NTLM Authentication Proxy Server (APS) | http://www.geocities.com/rozmanov/ntlm/ |
| WebCracker | http://online.securityfocus.com/tools/706 |
| Brutus AET2 | http://www.hoobie.net/brutus/index.html |
| Hydra | http://www.thc.org |
| CAPTCHA Links | |
| The CAPTCHA Project (covers Gimpy, Bongo, Pix, and Sounds) | http://www.captcha.net/ |
| PWNtcha, a CAPTCHA decoder | http://sam.zoy.org/pwntcha/ |
| Microsoft Passport References | |
| Microsoft Passport homepage | http://www.passport.com |
| "Risks of the Passport Single Signon Protocol" | http://avirubin.com/passport.html |
| Chris Shiflett's "Passport Hacking" | http://www.k2labs.org/chris/articles/passport/ |
| Mark Slemko's "Passport to Trouble" | http:// alive .znep.com/~marcs/passport/ |
| FTC Consent Decree with Microsoft Passport | http://www.ftc.gov/os/2002/08/microsoftagree.pdf |
| Passport emailpwdreset vulnerability | http://www.securityfocus.com/archive/1/320806 |
| Liberty Alliance Project | http://www.projectliberty.org |
| Strong Authentication Technologies | |
| PassMark Security, Inc. | http://www.passmarksecurity.com |
| Bank of America PassMark implementation called SiteKey | http://www.bankofamerica.com/privacy/passmark |
| PassMark/SiteKey weaknesses discussed | http://mailchannels. blogspot .com/2005/07/passmark-sitekey-system-vulnerable-to.html |
| One-time Password specifications | http://www.rsasecurity.com/rsalabs/node.asp?id=2816 |
| RSA's SecureID OTP implementation | http://www.rsasecurity.com |
| RSA Security press release on E*Trade Secure ID implementation | http://www.rsasecurity.com/press_release.asp?doc_id=5567 |
| "Two-Factor Authentication: Too Little, Too Late," by Bruce Schneier, critiques OTP and other 2-factor systems | http://www.schneier.com/ essay -083.html |
| General References | |
| The World Wide Web Security FAQ Section 5, "Protecting Confidential Documents at Your Site" | http://www.w3.org/Security/Faq/wwwsf5.html |
| RFC 2617, "HTTP Authentication: Basic and Digest Access Authentication" | ftp://ftp.isi.edu/in-notes/rfc2617.txt |
| RFC 2478, SPNEGO | http://www.ietf.org/rfc/rfc2478.txt?number=2478 |
| IIS Authentication | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconIISAuthentication.asp |
| "Setting Up Digest Authentication for Use with Internet Information Services 5.0" (Q222028) | http://support.microsoft.com/default.aspx?scid=kb;EN-US;q222028 |
| "NTLM Authentication Scheme for HTTP" by Ronald Tschalr | http://www.innovation.ch/java/ntlm.html |
| "How to Disable LM Authentication on Windows NT" (Q147706) | http://support.microsoft.com/?kbid=147706 |
| "Using Forms Authentication in ASP.NET" | http://www.15seconds.com/issue/020220.htm |
| "Session ID Brute Force Exploitation" by David Endler | http://www.idefense.com/idpapers/SessionIDs.pdf |
| | ||
EAN: 2147483647
Pages: 127