[40632] in bugtraq
RE: Some new whitepapers ...
daemon@ATHENA.MIT.EDU (Lila Buchalski)
Thu Oct 6 14:59:59 2005
Reply-To: <lbuchalski@iconsinc.com>
From: "Lila Buchalski" <lbuchalski@iconsinc.com>
To: "'David Litchfield'" <davidl@ngssoftware.com>, <bugtraq@securityfocus.com>
Date: Wed, 5 Oct 2005 16:04:48 -0400
Message-ID: <005701c5c9e8$09f16da0$6501a8c0@DDXMHZ51>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <012001c5c9a7$24de0a60$1b00a8c0@ngssoftware.com>
Has anyone written any white papers/articles on banking information
security?
I would be interested in publishing quality white papers/articles that
had to do with any of the following:
-Core banking application security
-Identity theft
-VoIP security
-Compliance to information security regulations
-Other banking and information security related security topics.
Let me know if you have any questions.
Thanks,
Lila B.
Lila Buchalski
Editor
http://www.Bankinfosecurity.com
-----Original Message-----
From: David Litchfield [mailto:davidl@ngssoftware.com]
Sent: Wednesday, October 05, 2005 8:20 AM
To: bugtraq@securityfocus.com
Subject: Some new whitepapers ...
Hey all,
I've written two papers available from here
http://www.ngssoftware.com/papers.htm
The first deals with buffer _underruns_ , DEP and Address Space Layout
Randomization on Windows. During the paper's review process I was
pointed to
http://www.phrack.org/show.php?p=58 which deals with the same conceptual
issues to defeat PaX on Linux but, as my paper was completed, I thought
I
may as well still go ahead and release it. Besides mine discusses buffer
underruns, too :)
The second paper talks about using inference as a means of drilling for
data
with SQL injection and it is based upon a talk I presented at Blackhat
Europe earlier on in the year. I divide SQL injection data theft attacks
into three classes - inband, out-of-band and inference. The first,
in-band,
uses the existing connection to get data out; the second, out-of-band,
uses
another channel, e.g. smtp by using builtin database mail functions; and
lastly inference. With inference there is no actual transfer of data -
rather it can be inferred what the data is by making observations about
differences in the way an application behaves.
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/
--
Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.7/112 - Release Date:
9/26/2005
